Use Elasticksearch to solve TOP N issue
The raw data is like
timestamp, router, interface, src_ip, dst_ip, protocol, pkts
10000000, 1.1.1.1 1 2.2.2.2 1.3.3.3 tcp 100
10000000, 1.1.1.2 2 2.2.8.2 2.3.3.3 tcp 200
10000001, 8.1.1.1 1 2.2.2.8 3.3.3.3 udp 500
10000001, 2.1.1.1 1 2.2.8.2 4.3.3.8 udp 800
I put these data into elastic search. Now I want to solve the problem:
What is the top 3 combination of src_ip and dst_ip which send most pkts.
Translate this requirements to SQL it would be:
SELECT src_ip, dst_ip, sum(pkts) as total FROM raw_data GROUP BY src_ip, dst_ip ORDER BY total DESC LIMIT 3
Before Every thing, below are the datas, I try to do group and aggregate
{"TAG":10001,"SRC_MAC":"52:54:00:14:05:4a","DST_MAC":"52:54:00:2c:e4:7c","VLAN":1342,"COS":84,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.85.133","DST_IP":"42.120.83.164","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":13628,"DST_PORT":13783,"PROTOCOL":"ggp","PACKETS":11,"BYTES":4330,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:5d:b5:10","DST_MAC":"52:54:00:18:d8:de","VLAN":543,"COS":66,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.83.123","DST_IP":"42.120.86.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":14731,"DST_PORT":14856,"PROTOCOL":"ip","PACKETS":6,"BYTES":3958,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:50:14:e1","DST_MAC":"52:54:00:3f:50:38","VLAN":250,"COS":77,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.83.165","DST_IP":"42.120.86.172","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11778,"DST_PORT":14673,"PROTOCOL":"isis","PACKETS":2,"BYTES":3803,"time":1452643200}
{"TAG":10001,"SRC_MAC":"52:54:00:17:5e:e3","DST_MAC":"52:54:00:75:da:af","VLAN":2647,"COS":2,"IN_IFACE":2,"OUT_IFACE":1,"SRC_IP":"42.120.86.253","DST_IP":"42.120.83.58","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":16767,"DST_PORT":16418,"PROTOCOL":"ipv6-route","PACKETS":10,"BYTES":2852,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:4a:e6:49","DST_MAC":"52:54:00:37:f2:78","VLAN":1005,"COS":88,"IN_IFACE":3,"OUT_IFACE":2,"SRC_IP":"42.120.81.90","DST_IP":"42.120.81.248","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11573,"DST_PORT":16757,"PROTOCOL":"encap","PACKETS":7,"BYTES":1745,"time":1452643200}
{"TAG":10001,"SRC_MAC":"52:54:00:52:1e:29","DST_MAC":"52:54:00:6a:2b:0e","VLAN":1816,"COS":26,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.82.91","DST_IP":"42.120.85.121","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15961,"DST_PORT":15761,"PROTOCOL":"gre","PACKETS":16,"BYTES":2753,"time":1452643200}
{"TAG":10000,"SRC_MAC":"52:54:00:3d:16:89","DST_MAC":"52:54:00:33:b8:54","VLAN":3393,"COS":64,"IN_IFACE":4,"OUT_IFACE":2,"SRC_IP":"42.120.86.27","DST_IP":"42.120.85.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":18677,"DST_PORT":17202,"PROTOCOL":"eigrp","PACKETS":6,"BYTES":3474,"time":1452643200}
{"TAG":10000,"SRC_MAC":"52:54:00:01:bb:4c","DST_MAC":"52:54:00:21:91:c0","VLAN":3803,"COS":23,"IN_IFACE":1,"OUT_IFACE":2,"SRC_IP":"42.120.85.186","DST_IP":"42.120.82.206","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15093,"DST_PORT":18784,"PROTOCOL":"ospf","PACKETS":20,"BYTES":3171,"time":1452643200}
The mapping
curl -XGET localhost:9200/sflow/_mapping | json_reformat
{
"sflow": {
"mappings": {
"9k": {
"properties": {
"BYTES": {
"type": "long"
},
"COS": {
"type": "long"
},
"DST_IP": {
"type": "string"
},
"DST_MAC": {
"type": "string"
},
"DST_MASK": {
"type": "long"
},
"DST_PORT": {
"type": "long"
},
"IN_IFACE": {
"type": "long"
},
"OUT_IFACE": {
"type": "long"
},
"PACKETS": {
"type": "long"
},
"PROTOCOL": {
"type": "string"
},
"SRC_IP": {
"type": "string"
},
"SRC_MAC": {
"type": "string"
},
"SRC_MASK": {
"type": "long"
},
"SRC_PORT": {
"type": "long"
},
"TAG": {
"type": "long"
},
"VLAN": {
"type": "long"
},
"time": {
"type": "long"
}
}
}
}
}
}
The agg query
curl -XPOST 'localhost:9200/sflow/_search?pretty' -d '
{
"query": { "match_all": {} },
"aggs":
{
"by_SRC_IP":
{
"terms": {"script": "[doc.SRC_IP.value, doc.DST_IP.value].join('-')","size": 3, "order": {"sum_bits": "desc"}},
"aggs": { "sum_bits": { "sum": {"field": "BYTES"} } }
}
}
}'
The output
{
"error" : {
"root_cause" : [ {
"type" : "groovy_script_compilation_exception",
"reason" : "failed to compile groovy script"
} ],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [ {
"shard" : 0,
"index" : "sflow",
"node" : "N0xpH1hbQG-V9DU-ANfVgw",
"reason" : {
"type" : "script_exception",
"reason" : "Failed to compile inline script [[doc.SRC_IP.value, doc.DST_IP.value].join(-)] using lang [groovy]",
"caused_by" : {
"type" : "groovy_script_compilation_exception",
"reason" : "failed to compile groovy script",
"caused_by" : {
"type" : "multiple_compilation_errors_exception",
"reason" : "startup failed:\nc6d3ea304aad32f8cc4f0efa6b5540cf0ad6be1a: 1: unexpected token: ) @ line 1, column 44.\n alue, doc.DST_IP.value].join(-)\n ^\n\n1 error\n"
}
}
}
} ]
},
"status" : 500
}
Use Elasticksearch to solve TOP N issue的更多相关文章
- Solve Hibernate Lazy-Init issue with hibernate.enable_lazy_load_no_trans
I have been suffering from infamous hibernate exception org.hibernate.LazyInitializationException: c ...
- Oracle Cannot Update TOP N Issue, 请专家解答
大家好 上周写了匿名方法一文,很多读者,很高兴,相信我们已经从大伙的回复中,对.NET又有了更深刻的认识. 好,现在说主题,各类数据库都有相应更新本表top n的方案.现在我一一举例 首先看表结构如下 ...
- 一个DIV三列布局100%高度自适应的好例子(国外)
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W ...
- Replacing JNI Crashes by Exceptions on Android
http://blog.httrack.com/blog/2013/08/23/catching-posix-signals-on-android/ To Report Or Not To Repor ...
- 转:Monoids and Finger Trees
转自:http://apfelmus.nfshost.com/articles/monoid-fingertree.html This post grew out of the big monoid ...
- 小强的HTML5移动开发之路(5)——制作一个漂亮的视频播放器
来自:http://blog.csdn.net/dawanganban/article/details/17679069 在前面几篇文章中介绍了HTML5的特点和需要掌握的基础知识,下面我们开始真正的 ...
- HDU 5988.Coding Contest 最小费用最大流
Coding Contest Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 65536/65536 K (Java/Others)To ...
- Coding Contest(费用流变形题,double)
Coding Contest http://acm.hdu.edu.cn/showproblem.php?pid=5988 Time Limit: 2000/1000 MS (Java/Others) ...
- Ethereum White Paper
https://github.com/ethereum/wiki/wiki/White-Paper White Paper EditNew Page James Ray edited this pag ...
随机推荐
- idea 部署struts所遇到的问题\
1.org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter 加载失败 解决方法:下载struts2 的源码包,然后将D:\ ...
- iOS----时间日期处理
时间日期处理 1.NSDateFormatter 日期格式化 ①可以把NSString 类型转为 NSDate类型 举例 把 "2015-08-23 19:46:14" 转为NSD ...
- InChatter系统之客户端实现原理与阶段小结
InChatter客户端的开发可以说是目前系统的阶段性结尾了.很抱歉的是,这篇文章来的这么晚,迟到了这么久. 在客户端的开发主要针对两个方面: 消息的传输与处理 消息的UI交互处理 一.消息的传输与处 ...
- sql server 2008 r2 无法定位到数据库文件目录
像这样,选择数据库文件时, 无法定位到文件夹目录,子目录下的都不显示.明明选择的这个文件夹里还有很多子文件夹,却显示不了. 解决方法: 在此文件夹上右击,属性-安全 添加红框中的用户就可以了.
- zookeeper启动
Zookeeper启动总结1.实际项目用的是Linux,问题不大,本地开发学习用Windows,问题多多.2.Zookeeper3.5.1-alpha,和本地JDK1.7,有冲突,无法正常启动.3.Z ...
- 模块 (Module)
#1.模块概念的官网描述 -- Module If you quit from the Python interpreter and enter it again, the definitions y ...
- webstorm里直接调用命令行
写代码写到一半要切换窗口出去敲命令行?webstorm的external tools可以帮你省下一点时间 举例说明,比如我要直接使用npm: ctrl+alt+s打开setting菜单,找到exter ...
- KMP中next数组的理解与应用
理解 1.next数组一直往前走 next数组一直往前走,得到的所有前缀也是当前主串的后缀,当然了,也是当前主串的前缀. 2.周期性字符串 1.周期性字符串$\Leftrightarrow n \,\ ...
- java_udp编程
两个重要的类: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/DatagramPacket.html ht ...
- Windows文件自删除的两种方法
可执行模块的自删除技术已经被讨论的很多, 有很多极富创意的思路和想法被提出, 但有些似是而非的方案往往使人误入歧途. 举个例子来说, 很多文章认为下面的一小段代码可以实现自删除:void main(v ...