Hi,
I'm new to elasticsearch, so please bear with me.
I am using logstash to ship sendmail logs into elasticsearch.
For any particular mail, sendmail logs the "to" address and "from"
addresses in different log entries,
resulting in (at least) two different elasticsearch documents per mail
(they do share a sendmail message ID).
for example:
{
id: 1
msgid: s938943sa99
from: [email protected]
relayip: 192.168.0.1
}
{
id: 2
msgid: s938943sa99
to: [email protected]
status: Sent
}
I would like to be able to find out the number of mails sent per to/from
combination over a particular time period,
i.e. 5 mails sent from [email protected] to [email protected], and 7 mails
sent from [email protected] to [email protected] in the last hour.
I understand about using aggregations on a field, so I can find out how
many mails were sent from a particular address:
curl -XGET 'http://localhost:9200/logstash*/_search?pretty=true' -d '
{
"query" : {
"bool" : {
"must" : [
{
"range" : {
"@timestamp" : {
"gt" : "now-1h"
}
}
}
]
}
},
"aggs" : {
"myfrom" : {
"terms" : {
"field" : "from.raw",
"min_doc_count" : 1
}
}
}
}'
I don't see how I can combine the documents to aggregate on to/from
combination.
Is this possible?
Thanks for any help,
Martin
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/b8d758b5-dd4e-4218-8f89-00970b4519a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
