從javascript訪問嵌套字段的Elasticsearch查詢

Question

我在elasticsearch中有以下數據。在匹配「源MAC地址」的特定值後，我想基於「目標IP」進行聚合。如何使用來自javascript的elasticsearch查詢來實現此目的。

{ 
"took" : 2, 
"timed_out" : false, 
"_shards" : { 
"total" : 5, 
"successful" : 5, 
"failed" : 0 
}, 
"hits" : { 
"total" : 2, 
"max_score" : 1.0, 
"hits" : [ { 
    "_index" : "logstash-1", 
    "_type" : "packet", 
    "_id" : "bcb57f445084cc0e474366bf892f6b4ab9162a4e", 
    "_score" : 1.0, 
    "_source" : { 
    "@source" : "logstash", 
    "@source_host" : "03", 
    "@message" : "72", 
    "@tags" : [ ], 
    "@fields" : { 
     "Protocol Type" : "TCP", 
     "Dst Domain" : "USER1", 
     "No" : 72, 
     "Timestamp" : "2016-11-08 10:46:57.691", 
     "Source IP" : "10.10.10.10", 
     "Source MAC Addr" : "00:00:00:00:00:00", 
     "Length" : 1480, 
     "Dest MAC Addr" : "ad:ad:ad:ad:ad:ad", 
     "Src -> Dst" : "10.10.10.10 -> 20.20.20.20", 
     "TTL" : 60, 
     "Src Domain" : "act", 
     "logger" : "logger", 
     "Dest IP" : "20.20.20.20", 
     "levelname" : "INFO", 
     "Size" : 100 
    }, 
    } 
}, { 
    "_index" : "logstash", 
    "_type" : "packet", 
    "_id" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7", 
    "_score" : 1.0, 
    "_source" : { 
    "message" : "aaaa\n", 
    "tags" : [ "_jsonparsefailure" ], 
    "@version" : "1", 
    "@timestamp" : "2016-11-08T04:11:30.663Z", 
    "type" : "packet", 
    "host" : "10.10.10.10", 
    "fingerprint" : "d6ff9ac16f70dc2c4b3d599c74489475db124fd7" 
    } 
} ] 
} 
} 

Answer 1

很好，這似乎是一個查詢結果，所以它本來方便還包括查詢，我仍然沒有得到你想要什麼樣的聚集，因此通過IP和MAC過濾查詢應該做的這也可以通過第一濾波通過IP地址來完成，然後彙總

"aggs": { 
    "by_mac_addr": { 
     "terms": { 
     "field": "Source MAC Addr", 
     "order": { 
      "_term": "asc" 
     }, 
     "size": 1000 
     } 
    }