SELECT a,b,count(*) AS count,c,d,e,f,g,max(insert_time) AS insert_time
FROM adf_idslog
where plugin = "detect_portscan"
GROUP BY f,c,d
ORDER BY max(insert_time) DESC
{
"query": {
"bool": {
"must": [
{
"term": {
"plugin.keyword": "detect_portscan"
}
}
]
}
},
"size": 0,
"aggs": {
"type": {
"terms": {
"field": "f.keyword",
"size": 100
},
"aggs": {
"ip_src": {
"terms": {
"field": "c.keyword",
"size": 100
},
"aggs": {
"ip_dst": {
"terms": {
"field": "d.keyword",
"size": 100,
"order": {
"max_insert_time": "desc"
}
},
"aggs": {
"max_insert_time": {
"max": {
"field": "insert_time"
}
},
"top": {
"top_hits": {
"_source": [
"a",
"b",
"c",
"d",
"e",
"f",
"g"
],
"size": 1
}
}
}
}
}
}
}
}
}
}
FROM adf_idslog
where plugin = "detect_portscan"
GROUP BY f,c,d
ORDER BY max(insert_time) DESC
{
"query": {
"bool": {
"must": [
{
"term": {
"plugin.keyword": "detect_portscan"
}
}
]
}
},
"size": 0,
"aggs": {
"type": {
"terms": {
"field": "f.keyword",
"size": 100
},
"aggs": {
"ip_src": {
"terms": {
"field": "c.keyword",
"size": 100
},
"aggs": {
"ip_dst": {
"terms": {
"field": "d.keyword",
"size": 100,
"order": {
"max_insert_time": "desc"
}
},
"aggs": {
"max_insert_time": {
"max": {
"field": "insert_time"
}
},
"top": {
"top_hits": {
"_source": [
"a",
"b",
"c",
"d",
"e",
"f",
"g"
],
"size": 1
}
}
}
}
}
}
}
}
}
}
0 个回复