The raw data is like

timestamp,   router,    interface,   src_ip,    dst_ip,    protocol,   pkts

10000000,    1.1.1.1    1            2.2.2.2    1.3.3.3    tcp         100

10000000,    1.1.1.2    2            2.2.8.2    2.3.3.3    tcp         200

10000001,    8.1.1.1    1            2.2.2.8    3.3.3.3    udp         500

10000001,    2.1.1.1    1            2.2.8.2    4.3.3.8    udp         800

I put these data into elastic search. Now I want to solve the problem:

What is the top 3 combination of src_ip and dst_ip which send most pkts.

Translate this requirements to SQL it would be:

    SELECT src_ip, dst_ip, sum(pkts) as total FROM raw_data GROUP BY src_ip, dst_ip ORDER BY total DESC LIMIT 3

Before Every thing, below are the datas, I try to do group and aggregate

{"TAG":10001,"SRC_MAC":"52:54:00:14:05:4a","DST_MAC":"52:54:00:2c:e4:7c","VLAN":1342,"COS":84,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.85.133","DST_IP":"42.120.83.164","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":13628,"DST_PORT":13783,"PROTOCOL":"ggp","PACKETS":11,"BYTES":4330,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:5d:b5:10","DST_MAC":"52:54:00:18:d8:de","VLAN":543,"COS":66,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.83.123","DST_IP":"42.120.86.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":14731,"DST_PORT":14856,"PROTOCOL":"ip","PACKETS":6,"BYTES":3958,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:50:14:e1","DST_MAC":"52:54:00:3f:50:38","VLAN":250,"COS":77,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.83.165","DST_IP":"42.120.86.172","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11778,"DST_PORT":14673,"PROTOCOL":"isis","PACKETS":2,"BYTES":3803,"time":1452643200}

{"TAG":10001,"SRC_MAC":"52:54:00:17:5e:e3","DST_MAC":"52:54:00:75:da:af","VLAN":2647,"COS":2,"IN_IFACE":2,"OUT_IFACE":1,"SRC_IP":"42.120.86.253","DST_IP":"42.120.83.58","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":16767,"DST_PORT":16418,"PROTOCOL":"ipv6-route","PACKETS":10,"BYTES":2852,"time":1452643200}

{"TAG":10002,"SRC_MAC":"52:54:00:4a:e6:49","DST_MAC":"52:54:00:37:f2:78","VLAN":1005,"COS":88,"IN_IFACE":3,"OUT_IFACE":2,"SRC_IP":"42.120.81.90","DST_IP":"42.120.81.248","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11573,"DST_PORT":16757,"PROTOCOL":"encap","PACKETS":7,"BYTES":1745,"time":1452643200}

{"TAG":10001,"SRC_MAC":"52:54:00:52:1e:29","DST_MAC":"52:54:00:6a:2b:0e","VLAN":1816,"COS":26,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.82.91","DST_IP":"42.120.85.121","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15961,"DST_PORT":15761,"PROTOCOL":"gre","PACKETS":16,"BYTES":2753,"time":1452643200}

{"TAG":10000,"SRC_MAC":"52:54:00:3d:16:89","DST_MAC":"52:54:00:33:b8:54","VLAN":3393,"COS":64,"IN_IFACE":4,"OUT_IFACE":2,"SRC_IP":"42.120.86.27","DST_IP":"42.120.85.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":18677,"DST_PORT":17202,"PROTOCOL":"eigrp","PACKETS":6,"BYTES":3474,"time":1452643200}

{"TAG":10000,"SRC_MAC":"52:54:00:01:bb:4c","DST_MAC":"52:54:00:21:91:c0","VLAN":3803,"COS":23,"IN_IFACE":1,"OUT_IFACE":2,"SRC_IP":"42.120.85.186","DST_IP":"42.120.82.206","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15093,"DST_PORT":18784,"PROTOCOL":"ospf","PACKETS":20,"BYTES":3171,"time":1452643200}

The mapping

	curl -XGET localhost:9200/sflow/_mapping | json_reformat 

	{

		"sflow": {

			"mappings": {

				"9k": {

					"properties": {

						"BYTES": {

							"type": "long"

						},

						"COS": {

							"type": "long"

						},

						"DST_IP": {

							"type": "string"

						},

						"DST_MAC": {

							"type": "string"

						},

						"DST_MASK": {

							"type": "long"

						},

						"DST_PORT": {

							"type": "long"

						},

						"IN_IFACE": {

							"type": "long"

						},

						"OUT_IFACE": {

							"type": "long"

						},

						"PACKETS": {

							"type": "long"

						},

						"PROTOCOL": {

							"type": "string"

						},

						"SRC_IP": {

							"type": "string"

						},

						"SRC_MAC": {

							"type": "string"

						},

						"SRC_MASK": {

							"type": "long"

						},

						"SRC_PORT": {

							"type": "long"

						},

						"TAG": {

							"type": "long"

						},

						"VLAN": {

							"type": "long"

						},

						"time": {

							"type": "long"

						}

					}

				}

			}

		}

	}

The agg query

curl -XPOST 'localhost:9200/sflow/_search?pretty' -d '

{

  "query": { "match_all": {} },

	"aggs":

		{

			"by_SRC_IP":

				{

					"terms": {"script": "[doc.SRC_IP.value, doc.DST_IP.value].join('-')","size": 3, "order": {"sum_bits": "desc"}},

					"aggs": { "sum_bits": { "sum": {"field": "BYTES"} } }

				}

		}

}'

The output

{

  "error" : {

    "root_cause" : [ {

      "type" : "groovy_script_compilation_exception",

      "reason" : "failed to compile groovy script"

    } ],

    "type" : "search_phase_execution_exception",

    "reason" : "all shards failed",

    "phase" : "query",

    "grouped" : true,

    "failed_shards" : [ {

      "shard" : 0,

      "index" : "sflow",

      "node" : "N0xpH1hbQG-V9DU-ANfVgw",

      "reason" : {

        "type" : "script_exception",

        "reason" : "Failed to compile inline script [[doc.SRC_IP.value, doc.DST_IP.value].join(-)] using lang [groovy]",

        "caused_by" : {

          "type" : "groovy_script_compilation_exception",

          "reason" : "failed to compile groovy script",

          "caused_by" : {

            "type" : "multiple_compilation_errors_exception",

            "reason" : "startup failed:\nc6d3ea304aad32f8cc4f0efa6b5540cf0ad6be1a: 1: unexpected token: ) @ line 1, column 44.\n   alue, doc.DST_IP.value].join(-)\n                                 ^\n\n1 error\n"

          }

        }

      }

    } ]

  },

  "status" : 500

}

Use Elasticksearch to solve TOP N issue的更多相关文章

  1. Solve Hibernate Lazy-Init issue with hibernate.enable_lazy_load_no_trans

    I have been suffering from infamous hibernate exception org.hibernate.LazyInitializationException: c ...

  2. Oracle Cannot Update TOP N Issue, 请专家解答

    大家好 上周写了匿名方法一文,很多读者,很高兴,相信我们已经从大伙的回复中,对.NET又有了更深刻的认识. 好,现在说主题,各类数据库都有相应更新本表top n的方案.现在我一一举例 首先看表结构如下 ...

  3. 一个DIV三列布局100%高度自适应的好例子(国外)

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W ...

  4. Replacing JNI Crashes by Exceptions on Android

    http://blog.httrack.com/blog/2013/08/23/catching-posix-signals-on-android/ To Report Or Not To Repor ...

  5. 转:Monoids and Finger Trees

    转自:http://apfelmus.nfshost.com/articles/monoid-fingertree.html This post grew out of the big monoid ...

  6. 小强的HTML5移动开发之路(5)——制作一个漂亮的视频播放器

    来自:http://blog.csdn.net/dawanganban/article/details/17679069 在前面几篇文章中介绍了HTML5的特点和需要掌握的基础知识,下面我们开始真正的 ...

  7. HDU 5988.Coding Contest 最小费用最大流

    Coding Contest Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)To ...

  8. Coding Contest(费用流变形题,double)

    Coding Contest http://acm.hdu.edu.cn/showproblem.php?pid=5988 Time Limit: 2000/1000 MS (Java/Others) ...

  9. Ethereum White Paper

    https://github.com/ethereum/wiki/wiki/White-Paper White Paper EditNew Page James Ray edited this pag ...

随机推荐

  1. 短视频SDK用于旅游行业

    超级简单易用的短视频SDK来自RDSDK.COM.锐动天地为开发者提供短视频编辑.视频直播.特效.录屏.编解码.视频转换,等多种解决方案,涵盖PC.iOS.Android多平台.以市场为导向,不断打磨 ...

  2. Java语法基础-static关键字

    static关键字说明 “static方法就是没有this的方法.在static方法内部不能调用非静态方法,反过来是可以的.而且可以在没有创建任何对象的前提下,仅仅通过类本身来调用static方法.这 ...

  3. iOS之NSAttributedString-------字符属性

    NSAttributedString 字符属性 字符属性可以应用于 attributed string 的文本中. NSString *const NSFontAttributeName;(字体) N ...

  4. Farseer.net轻量级ORM开源框架 V1.5版本升级消息

    SHA-1: 0ede88104f269f108b68be1e87ffcead4a354ec6 * 提交V1.5版本1.新增:整表缓存的实现方式(提取接口,可由客户端算定义实现)2.新增:SQL配置化 ...

  5. asterisk-java ami5 分机状态,挂机原因之类的

    这些东西网上随便一找一大堆,也只是记录下自己找的.方便以后自己复制粘贴用. 最后为啦实现分机状态在web的实时更新,我选择啦使用websocket. //获得分机状态 public static St ...

  6. android 设置跳转

    android.provider.Settings. 1.   ACTION_ACCESSIBILITY_SETTINGS :    // 跳转系统的辅助功能界面            Intent ...

  7. 使用VC++编写QQ群发器,MFC做UI

    由于公司业务需要,QQ群发器经常被用来发送QQ广告,购买的QQ群发器不好用不说,而且是按机器收费的,有些功能还不能修改. 所以公司派我来开发一款自己的QQ群发器,我给群发器取名叫做飞速群发器,用来给软 ...

  8. HDU_1542_(树状数组)

    Stars Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Submi ...

  9. CAD嵌套打印(com接口版)

    当用户需要打印两个CAD控件的图纸时,可以采用嵌套打印实现.实现嵌套打印功能,首先将两个CAD控件放入网页中,C#代码如下: private void BatchPrintDialog() { MxD ...

  10. 扩展 IHttpModule

    上篇提到请求进入到System.Web后,创建完HttpApplication对象后会执行一堆的管道事件,然后可以通过HttpModule来对其进行扩展,那么这篇文章就来介绍下如何定义我们自己的mod ...