我的书签
添加书签
移除书签IP Range Aggregation
Just like the dedicated date range aggregation, there is also a dedicated range aggregation for IP typed fields:
Example:
GET /ip_addresses/_search{"size": 10,"aggs": {"ip_ranges": {"ip_range": {"field": "ip","ranges": [{ "to": "10.0.0.5" },{ "from": "10.0.0.5" }]}}}}
Response:
{..."aggregations": {"ip_ranges": {"buckets": [{"key": "*-10.0.0.5","to": "10.0.0.5","doc_count": 10},{"key": "10.0.0.5-*","from": "10.0.0.5","doc_count": 260}]}}}
IP ranges can also be defined as CIDR masks:
GET /ip_addresses/_search{"size": 0,"aggs": {"ip_ranges": {"ip_range": {"field": "ip","ranges": [{ "mask": "10.0.0.0/25" },{ "mask": "10.0.0.127/25" }]}}}}
Response:
{..."aggregations": {"ip_ranges": {"buckets": [{"key": "10.0.0.0/25","from": "10.0.0.0","to": "10.0.0.128","doc_count": 128},{"key": "10.0.0.127/25","from": "10.0.0.0","to": "10.0.0.128","doc_count": 128}]}}}
Keyed Response
Setting the keyed flag to true will associate a unique string key with each bucket and return the ranges as a hash rather than an array:
GET /ip_addresses/_search{"size": 0,"aggs": {"ip_ranges": {"ip_range": {"field": "ip","ranges": [{ "to": "10.0.0.5" },{ "from": "10.0.0.5" }],"keyed": true}}}}
Response:
{..."aggregations": {"ip_ranges": {"buckets": {"*-10.0.0.5": {"to": "10.0.0.5","doc_count": 10},"10.0.0.5-*": {"from": "10.0.0.5","doc_count": 260}}}}}
It is also possible to customize the key for each range:
GET /ip_addresses/_search{"size": 0,"aggs": {"ip_ranges": {"ip_range": {"field": "ip","ranges": [{ "key": "infinity", "to": "10.0.0.5" },{ "key": "and-beyond", "from": "10.0.0.5" }],"keyed": true}}}}
Response:
{..."aggregations": {"ip_ranges": {"buckets": {"infinity": {"to": "10.0.0.5","doc_count": 10},"and-beyond": {"from": "10.0.0.5","doc_count": 260}}}}}
