Use Elasticksearch to solve TOP N issue
The raw data is like
timestamp, router, interface, src_ip, dst_ip, protocol, pkts
10000000, 1.1.1.1 1 2.2.2.2 1.3.3.3 tcp 100
10000000, 1.1.1.2 2 2.2.8.2 2.3.3.3 tcp 200
10000001, 8.1.1.1 1 2.2.2.8 3.3.3.3 udp 500
10000001, 2.1.1.1 1 2.2.8.2 4.3.3.8 udp 800
I put these data into elastic search. Now I want to solve the problem:
What is the top 3 combination of src_ip and dst_ip which send most pkts.
Translate this requirements to SQL it would be:
SELECT src_ip, dst_ip, sum(pkts) as total FROM raw_data GROUP BY src_ip, dst_ip ORDER BY total DESC LIMIT 3
Before Every thing, below are the datas, I try to do group and aggregate
{"TAG":10001,"SRC_MAC":"52:54:00:14:05:4a","DST_MAC":"52:54:00:2c:e4:7c","VLAN":1342,"COS":84,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.85.133","DST_IP":"42.120.83.164","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":13628,"DST_PORT":13783,"PROTOCOL":"ggp","PACKETS":11,"BYTES":4330,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:5d:b5:10","DST_MAC":"52:54:00:18:d8:de","VLAN":543,"COS":66,"IN_IFACE":2,"OUT_IFACE":2,"SRC_IP":"42.120.83.123","DST_IP":"42.120.86.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":14731,"DST_PORT":14856,"PROTOCOL":"ip","PACKETS":6,"BYTES":3958,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:50:14:e1","DST_MAC":"52:54:00:3f:50:38","VLAN":250,"COS":77,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.83.165","DST_IP":"42.120.86.172","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11778,"DST_PORT":14673,"PROTOCOL":"isis","PACKETS":2,"BYTES":3803,"time":1452643200}
{"TAG":10001,"SRC_MAC":"52:54:00:17:5e:e3","DST_MAC":"52:54:00:75:da:af","VLAN":2647,"COS":2,"IN_IFACE":2,"OUT_IFACE":1,"SRC_IP":"42.120.86.253","DST_IP":"42.120.83.58","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":16767,"DST_PORT":16418,"PROTOCOL":"ipv6-route","PACKETS":10,"BYTES":2852,"time":1452643200}
{"TAG":10002,"SRC_MAC":"52:54:00:4a:e6:49","DST_MAC":"52:54:00:37:f2:78","VLAN":1005,"COS":88,"IN_IFACE":3,"OUT_IFACE":2,"SRC_IP":"42.120.81.90","DST_IP":"42.120.81.248","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":11573,"DST_PORT":16757,"PROTOCOL":"encap","PACKETS":7,"BYTES":1745,"time":1452643200}
{"TAG":10001,"SRC_MAC":"52:54:00:52:1e:29","DST_MAC":"52:54:00:6a:2b:0e","VLAN":1816,"COS":26,"IN_IFACE":2,"OUT_IFACE":3,"SRC_IP":"42.120.82.91","DST_IP":"42.120.85.121","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15961,"DST_PORT":15761,"PROTOCOL":"gre","PACKETS":16,"BYTES":2753,"time":1452643200}
{"TAG":10000,"SRC_MAC":"52:54:00:3d:16:89","DST_MAC":"52:54:00:33:b8:54","VLAN":3393,"COS":64,"IN_IFACE":4,"OUT_IFACE":2,"SRC_IP":"42.120.86.27","DST_IP":"42.120.85.184","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":18677,"DST_PORT":17202,"PROTOCOL":"eigrp","PACKETS":6,"BYTES":3474,"time":1452643200}
{"TAG":10000,"SRC_MAC":"52:54:00:01:bb:4c","DST_MAC":"52:54:00:21:91:c0","VLAN":3803,"COS":23,"IN_IFACE":1,"OUT_IFACE":2,"SRC_IP":"42.120.85.186","DST_IP":"42.120.82.206","SRC_MASK":24,"DST_MASK":24,"SRC_PORT":15093,"DST_PORT":18784,"PROTOCOL":"ospf","PACKETS":20,"BYTES":3171,"time":1452643200}
The mapping
curl -XGET localhost:9200/sflow/_mapping | json_reformat
{
"sflow": {
"mappings": {
"9k": {
"properties": {
"BYTES": {
"type": "long"
},
"COS": {
"type": "long"
},
"DST_IP": {
"type": "string"
},
"DST_MAC": {
"type": "string"
},
"DST_MASK": {
"type": "long"
},
"DST_PORT": {
"type": "long"
},
"IN_IFACE": {
"type": "long"
},
"OUT_IFACE": {
"type": "long"
},
"PACKETS": {
"type": "long"
},
"PROTOCOL": {
"type": "string"
},
"SRC_IP": {
"type": "string"
},
"SRC_MAC": {
"type": "string"
},
"SRC_MASK": {
"type": "long"
},
"SRC_PORT": {
"type": "long"
},
"TAG": {
"type": "long"
},
"VLAN": {
"type": "long"
},
"time": {
"type": "long"
}
}
}
}
}
}
The agg query
curl -XPOST 'localhost:9200/sflow/_search?pretty' -d '
{
"query": { "match_all": {} },
"aggs":
{
"by_SRC_IP":
{
"terms": {"script": "[doc.SRC_IP.value, doc.DST_IP.value].join('-')","size": 3, "order": {"sum_bits": "desc"}},
"aggs": { "sum_bits": { "sum": {"field": "BYTES"} } }
}
}
}'
The output
{
"error" : {
"root_cause" : [ {
"type" : "groovy_script_compilation_exception",
"reason" : "failed to compile groovy script"
} ],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [ {
"shard" : 0,
"index" : "sflow",
"node" : "N0xpH1hbQG-V9DU-ANfVgw",
"reason" : {
"type" : "script_exception",
"reason" : "Failed to compile inline script [[doc.SRC_IP.value, doc.DST_IP.value].join(-)] using lang [groovy]",
"caused_by" : {
"type" : "groovy_script_compilation_exception",
"reason" : "failed to compile groovy script",
"caused_by" : {
"type" : "multiple_compilation_errors_exception",
"reason" : "startup failed:\nc6d3ea304aad32f8cc4f0efa6b5540cf0ad6be1a: 1: unexpected token: ) @ line 1, column 44.\n alue, doc.DST_IP.value].join(-)\n ^\n\n1 error\n"
}
}
}
} ]
},
"status" : 500
}
Use Elasticksearch to solve TOP N issue的更多相关文章
- Solve Hibernate Lazy-Init issue with hibernate.enable_lazy_load_no_trans
I have been suffering from infamous hibernate exception org.hibernate.LazyInitializationException: c ...
- Oracle Cannot Update TOP N Issue, 请专家解答
大家好 上周写了匿名方法一文,很多读者,很高兴,相信我们已经从大伙的回复中,对.NET又有了更深刻的认识. 好,现在说主题,各类数据库都有相应更新本表top n的方案.现在我一一举例 首先看表结构如下 ...
- 一个DIV三列布局100%高度自适应的好例子(国外)
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W ...
- Replacing JNI Crashes by Exceptions on Android
http://blog.httrack.com/blog/2013/08/23/catching-posix-signals-on-android/ To Report Or Not To Repor ...
- 转:Monoids and Finger Trees
转自:http://apfelmus.nfshost.com/articles/monoid-fingertree.html This post grew out of the big monoid ...
- 小强的HTML5移动开发之路(5)——制作一个漂亮的视频播放器
来自:http://blog.csdn.net/dawanganban/article/details/17679069 在前面几篇文章中介绍了HTML5的特点和需要掌握的基础知识,下面我们开始真正的 ...
- HDU 5988.Coding Contest 最小费用最大流
Coding Contest Time Limit: 2000/1000 MS (Java/Others) Memory Limit: 65536/65536 K (Java/Others)To ...
- Coding Contest(费用流变形题,double)
Coding Contest http://acm.hdu.edu.cn/showproblem.php?pid=5988 Time Limit: 2000/1000 MS (Java/Others) ...
- Ethereum White Paper
https://github.com/ethereum/wiki/wiki/White-Paper White Paper EditNew Page James Ray edited this pag ...
随机推荐
- 数据库text字段存值用回车分隔
//查询 $sql = "SELECT attr_values FROM ecs_attribute WHERE attr_id=197"; $param_sel_sms = ar ...
- 在DOS行下设置静态IP
A.设置静态IP CMD netsh netsh>int interface>ip interface ip>set add "本地链接" static ...
- zabbix基础安装
环境依赖:LNMP或者LAMP 简介参考:http://blog.51cto.com/zhang789/1868880 一.准备 我安装的环境及其版本如下: 系统版本 CentOS Linux rel ...
- Python框架Django的入门
本篇文章主要给大家介绍Django的入门知识:
- [转载]MyBatis mapper文件中的变量引用方式#{}与${}的差别
转载自:http://blog.csdn.net/szwangdf/article/details/26714603 默认情况下,使用#{}语法,MyBatis会产生PreparedStatement ...
- Swing实现个人简历
源码: import java.awt.Container;import java.awt.FlowLayout;import java.awt.Font; import javax.swing.*; ...
- gdb 基础
版权:https://linuxtools-rst.readthedocs.io/zh_CN/latest/tool/gdb.html 1. gdb 调试利器 GDB是一个由GNU开源组织发布的.UN ...
- CF1065D Three Pieces
题目描述:给出一个n*n的棋盘,棋盘上每个格子有一个值.你有一个子,要求将这个子从1移到n*n(去k时可以经过比k大的点). 开局时它可以作为车,马,相(国际象棋).每走一步耗费时间1.你也可以中途将 ...
- Linux思维导图之网络管理
查漏补缺,理解概念,及时总结,欢迎拍砖. IP地址和MAC地址: 1.设计形态不同.IP地址是基于网络拓扑设计出来的,可以人为改动:而MAC地址是制造商烧录好的不能改动,网卡决定了MAC地址,是固定的 ...
- assert.notDeepStrictEqual()详解
assert.notDeepStrictEqual(actual, expected[, message]) 深度地严格不相等比较测试,与 assert.deepStrictEqual() 相反. c ...