lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202
							[[search-aggregations-bucket-iprange-aggregation]]
=== IP Range Aggregation

Just like the dedicated <<search-aggregations-bucket-daterange-aggregation,date>> range aggregation, there is also a dedicated range aggregation for IP typed fields:

Example:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
    "size": 10,
    "aggs" : {
        "ip_ranges" : {
            "ip_range" : {
                "field" : "ip",
                "ranges" : [
                    { "to" : "10.0.0.5" },
                    { "from" : "10.0.0.5" }
                ]
            }
        }
    }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,js]
--------------------------------------------------
{
    ...

    "aggregations": {
        "ip_ranges": {
            "buckets" : [
                {
                    "key": "*-10.0.0.5",
                    "to": "10.0.0.5",
                    "doc_count": 10
                },
                {
                    "key": "10.0.0.5-*",
                    "from": "10.0.0.5",
                    "doc_count": 260
                }
            ]
        }
    }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

IP ranges can also be defined as CIDR masks:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
    "size": 0,
    "aggs" : {
        "ip_ranges" : {
            "ip_range" : {
                "field" : "ip",
                "ranges" : [
                    { "mask" : "10.0.0.0/25" },
                    { "mask" : "10.0.0.127/25" }
                ]
            }
        }
    }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,js]
--------------------------------------------------
{
    ...

    "aggregations": {
        "ip_ranges": {
            "buckets": [
                {
                    "key": "10.0.0.0/25",
                    "from": "10.0.0.0",
                    "to": "10.0.0.128",
                    "doc_count": 128
                },
                {
                    "key": "10.0.0.127/25",
                    "from": "10.0.0.0",
                    "to": "10.0.0.128",
                    "doc_count": 128
                }
            ]
        }
    }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

==== Keyed Response

Setting the `keyed` flag to `true` will associate a unique string key with each bucket and return the ranges as a hash rather than an array:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
    "size": 0,
    "aggs": {
        "ip_ranges": {
            "ip_range": {
                "field": "ip",
                "ranges": [
                    { "to" : "10.0.0.5" },
                    { "from" : "10.0.0.5" }
                ],
                "keyed": true
            }
        }
    }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,js]
--------------------------------------------------
{
    ...

    "aggregations": {
        "ip_ranges": {
            "buckets": {
                "*-10.0.0.5": {
                    "to": "10.0.0.5",
                    "doc_count": 10
                },
                "10.0.0.5-*": {
                    "from": "10.0.0.5",
                    "doc_count": 260
                }
            }
        }
    }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

It is also possible to customize the key for each range:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
    "size": 0,
    "aggs": {
        "ip_ranges": {
            "ip_range": {
                "field": "ip",
                "ranges": [
                    { "key": "infinity", "to" : "10.0.0.5" },
                    { "key": "and-beyond", "from" : "10.0.0.5" }
                ],
                "keyed": true
            }
        }
    }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,js]
--------------------------------------------------
{
    ...

    "aggregations": {
        "ip_ranges": {
            "buckets": {
                "infinity": {
                    "to": "10.0.0.5",
                    "doc_count": 10
                },
                "and-beyond": {
                    "from": "10.0.0.5",
                    "doc_count": 260
                }
            }
        }
    }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]