The raw data is like

timestamp,   router,    interface,   src_ip,    dst_ip,    protocol,   pkts

10000000,    1.1.1.1    1            2.2.2.2    1.3.3.3    tcp         100

10000000,    1.1.1.2    2            2.2.8.2    2.3.3.3    tcp         200

10000001,    8.1.1.1    1            2.2.2.8    3.3.3.3    udp         500

10000001,    2.1.1.1    1            2.2.8.2    4.3.3.8    udp         800

I put these data into elastic search. Now I want to solve the problem:

What is the top 3 combination of src_ip and dst_ip which send most pkts.

Translate this requirements to SQL it would be:

    SELECT src_ip, dst_ip, sum(pkts) as total FROM raw_data GROUP BY src_ip, dst_ip ORDER BY total DESC LIMIT 3

Before Every thing, below are the datas, I try to do group and aggregate

{"TAG":10001,"SRC_MAC":"52:54:00:14:05:4a","DST_MAC":"52:54:00:2c:e4:7c","VLAN":1342,"COS":84,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.85.133","DST_IP":"42.120.83.164","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":13628,"DST_PORT":13783,"PROTOCOL":"ggp","PACKETS":11,"BYTES":4330,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:5d:b5:10","DST_MAC":"52:54:00:18:d8:de","VLAN":543,"COS":66,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.83.123","DST_IP":"42.120.86.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":14731,"DST_PORT":14856,"PROTOCOL":"ip","PACKETS":6,"BYTES":3958,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:50:14:e1","DST_MAC":"52:54:00:3f:50:38","VLAN":250,"COS":77,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.83.165","DST_IP":"42.120.86.172","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11778,"DST_PORT":14673,"PROTOCOL":"isis","PACKETS":2,"BYTES":3803,"time":1452643200}

{"TAG":10001,"SRC_MAC":"52:54:00:17:5e:e3","DST_MAC":"52:54:00:75:da:af","VLAN":2647,"COS":2,"IN_IFACE":2,"OUT_IFACE":1,"SRC_IP":"42.120.86.253","DST_IP":"42.120.83.58","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":16767,"DST_PORT":16418,"PROTOCOL":"ipv6-route","PACKETS":10,"BYTES":2852,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:4a:e6:49","DST_MAC":"52:54:00:37:f2:78","VLAN":1005,"COS":88,"IN_IFACE":3,"OUT_IFACE":2,"SRC_IP":"42.120.81.90","DST_IP":"42.120.81.248","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11573,"DST_PORT":16757,"PROTOCOL":"encap","PACKETS":7,"BYTES":1745,"time":1452643200}

{"TAG":10001,"SRC_MAC":"52:54:00:52:1e:29","DST_MAC":"52:54:00:6a:2b:0e","VLAN":1816,"COS":26,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.82.91","DST_IP":"42.120.85.121","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15961,"DST_PORT":15761,"PROTOCOL":"gre","PACKETS":16,"BYTES":2753,"time":1452643200}

{"TAG":10000,"SRC_MAC":"52:54:00:3d:16:89","DST_MAC":"52:54:00:33:b8:54","VLAN":3393,"COS":64,"IN_IFACE":4,"OUT_IFACE":2,"SRC_IP":"42.120.86.27","DST_IP":"42.120.85.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":18677,"DST_PORT":17202,"PROTOCOL":"eigrp","PACKETS":6,"BYTES":3474,"time":1452643200}

{"TAG":10000,"SRC_MAC":"52:54:00:01:bb:4c","DST_MAC":"52:54:00:21:91:c0","VLAN":3803,"COS":23,"IN_IFACE":1,"OUT_IFACE":2,"SRC_IP":"42.120.85.186","DST_IP":"42.120.82.206","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15093,"DST_PORT":18784,"PROTOCOL":"ospf","PACKETS":20,"BYTES":3171,"time":1452643200}

The mapping

	curl -XGET localhost:9200/sflow/_mapping | json_reformat 

	{

		"sflow": {

			"mappings": {

				"9k": {

					"properties": {

						"BYTES": {

							"type": "long"

						},

						"COS": {

							"type": "long"

						},

						"DST_IP": {

							"type": "string"

						},

						"DST_MAC": {

							"type": "string"

						},

						"DST_MASK": {

							"type": "long"

						},

						"DST_PORT": {

							"type": "long"

						},

						"IN_IFACE": {

							"type": "long"

						},

						"OUT_IFACE": {

							"type": "long"

						},

						"PACKETS": {

							"type": "long"

						},

						"PROTOCOL": {

							"type": "string"

						},

						"SRC_IP": {

							"type": "string"

						},

						"SRC_MAC": {

							"type": "string"

						},

						"SRC_MASK": {

							"type": "long"

						},

						"SRC_PORT": {

							"type": "long"

						},

						"TAG": {

							"type": "long"

						},

						"VLAN": {

							"type": "long"

						},

						"time": {

							"type": "long"

						}

					}

				}

			}

		}

	}

The agg query

curl -XPOST 'localhost:9200/sflow/_search?pretty' -d '

{

  "query": { "match_all": {} },

	"aggs":

		{

			"by_SRC_IP":

				{

					"terms": {"script": "[doc.SRC_IP.value, doc.DST_IP.value].join('-')","size": 3, "order": {"sum_bits": "desc"}},

					"aggs": { "sum_bits": { "sum": {"field": "BYTES"} } }

				}

		}

}'

The output

{

  "error" : {

    "root_cause" : [ {

      "type" : "groovy_script_compilation_exception",

      "reason" : "failed to compile groovy script"

    } ],

    "type" : "search_phase_execution_exception",

    "reason" : "all shards failed",

    "phase" : "query",

    "grouped" : true,

    "failed_shards" : [ {

      "shard" : 0,

      "index" : "sflow",

      "node" : "N0xpH1hbQG-V9DU-ANfVgw",

      "reason" : {

        "type" : "script_exception",

        "reason" : "Failed to compile inline script [[doc.SRC_IP.value, doc.DST_IP.value].join(-)] using lang [groovy]",

        "caused_by" : {

          "type" : "groovy_script_compilation_exception",

          "reason" : "failed to compile groovy script",

          "caused_by" : {

            "type" : "multiple_compilation_errors_exception",

            "reason" : "startup failed:\nc6d3ea304aad32f8cc4f0efa6b5540cf0ad6be1a: 1: unexpected token: ) @ line 1, column 44.\n   alue, doc.DST_IP.value].join(-)\n                                 ^\n\n1 error\n"

          }

        }

      }

    } ]

  },

  "status" : 500

}

Use Elasticksearch to solve TOP N issue的更多相关文章

  1. Solve Hibernate Lazy-Init issue with hibernate.enable_lazy_load_no_trans

    I have been suffering from infamous hibernate exception org.hibernate.LazyInitializationException: c ...

  2. Oracle Cannot Update TOP N Issue, 请专家解答

    大家好 上周写了匿名方法一文,很多读者,很高兴,相信我们已经从大伙的回复中,对.NET又有了更深刻的认识. 好,现在说主题,各类数据库都有相应更新本表top n的方案.现在我一一举例 首先看表结构如下 ...

  3. 一个DIV三列布局100%高度自适应的好例子(国外)

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W ...

  4. Replacing JNI Crashes by Exceptions on Android

    http://blog.httrack.com/blog/2013/08/23/catching-posix-signals-on-android/ To Report Or Not To Repor ...

  5. 转:Monoids and Finger Trees

    转自:http://apfelmus.nfshost.com/articles/monoid-fingertree.html This post grew out of the big monoid ...

  6. 小强的HTML5移动开发之路(5)——制作一个漂亮的视频播放器

    来自:http://blog.csdn.net/dawanganban/article/details/17679069 在前面几篇文章中介绍了HTML5的特点和需要掌握的基础知识,下面我们开始真正的 ...

  7. HDU 5988.Coding Contest 最小费用最大流

    Coding Contest Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)To ...

  8. Coding Contest(费用流变形题,double)

    Coding Contest http://acm.hdu.edu.cn/showproblem.php?pid=5988 Time Limit: 2000/1000 MS (Java/Others) ...

  9. Ethereum White Paper

    https://github.com/ethereum/wiki/wiki/White-Paper White Paper EditNew Page James Ray edited this pag ...

随机推荐

  1. (Android MVVM)使用Data Binding Library(1)

    Data Binding Library 用官方提供的Data Binding Library,可以最大限度的减少findViewById(),setOnClickListener()之类的胶水代码, ...

  2. Scala基础篇-函数式编程的重要特性

    1.纯函数 表示函数无副作用(状态变化). 2.引用透明性 表示对相同输入,总是得到相同输出. 3.函数是一等公民 函数与变量.对象.类是同一等级.表示可以把函数当做参数传入另一个函数,或者作为函数的 ...

  3. Delphi win10 asssertion failure

    Delphi2007 原来安装在Win7 下 运行正常, 自从升级到Win10 ,新建工程运行然后关闭报错, 报错信息如下: ---------------------------bds.exe - ...

  4. CAD参数绘制固定批注(网页版)

    js中实现代码说明: 自定义实体绘制函数 function ExplodeFun(pCustomEntity, pWorldDraw, txt) { var sGuid = pCustomEntity ...

  5. java “==”和“equals”

    菜呀,只能记笔记了 ==:如果是基本数据类型,比较值,如果是引用类型,比较地址 equals:比较值

  6. 第2节 mapreduce深入学习:11、maptask运行机制(多看几遍)

    mapTask运行机制详解以及mapTask的并行度在mapTask当中,一个文件的切片大小使用默认值是128M,就是跟我们一个block块对应大小一样 MapTask运行的整个过程 背下来1.Tex ...

  7. iphone X 的适配

    <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title> ...

  8. MATLAB优化——减少for的使用

    Table of Contents 1. MATLAB 2. 矩阵计算--全0行整体替换 MATLAB MATLAB作为一个强大的工具(可惜是收费的),在矩阵运算.绘制函数和数据.实现算法.创建用户界 ...

  9. centos 简单用户管理

    一.配置文件 /etc/passwd:存放用户信息,以“:”分割成7个部分 1.账号名称,用来对应UID: 2.早期密码存放位置,后来密码改存/etc/shadow中,以“x”代替: 3.UID,使用 ...

  10. linux上uwsgi+nginx+django发布项目

    在发布项目前首先将部署环境进行搭建,尤其是依赖包一定需要提前安装. 一.虚拟环境的搭建 1.建议在linux下新建一个虚拟环境,这样有独立干净的环境. mkvirtualenv -p python3 ...