Go Elasticsearch 快速入门

相关文档

聚合

例一

例二

Index Mapping:

{
  "mappings": {
    "properties": {
      "userid": {
        "type": "keyword"
      }
    }
  }
}

Search Query:

{
  "size": 0,
  "aggs": {
    "userId": {
      "terms": {
        "field": "userid"
      },
      "aggs": {
        "the_filter": {
          "bucket_selector": {
            "buckets_path": {
              "the_doc_count": "_count"
            },
            "script": "params.the_doc_count == 3" //取桶聚合值等于3的
          }
        }
      }
    }
  }
}

Search Result:

"aggregations": {
    "userId": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "1",              // this denotes the userid having count==3
          "doc_count": 3
        }
      ]
    }

例三

mapping

{
    "routing_num_shards":768,
    "settings":{
        "index":{
            "mapping":{
                "total_fields":{
                    "limit":"10000"
                }
            },
            "number_of_shards":"6",
            "max_result_window":"2000000",
            "number_of_replicas":"0"
        }
    },
    "mappings":{
        "_doc":{
            "properties":{
                "country":{
                    "type":"keyword"
                },
                "cloudPlatform":{
                    "type":"keyword"
                },
                "beginAt":{
                    "type":"text",
                    "fields":{
                        "keyword":{
                            "ignore_above":256,
                            "type":"keyword"
                        }
                    }
                },
                "os":{
                    "type":"keyword"
                },
                "city":{
                    "type":"keyword"
                },
                "hostIP":{
                    "type":"ip"
                },
                "nodeType":{
                    "type":"keyword"
                },
                "type":{
                    "type":"short"
                },
                "version":{
                    "type":"keyword"
                },
                "isFullNode":{
                    "type":"boolean"
                },
                "netProtocol":{
                    "type":"short"
                },
                "createdAt":{
                    "format":"yyyy-MM-dd HH:mm:ss",
                    "type":"date"
                },
                "srcAddr":{
                    "type":"keyword"
                },
                "province":{
                    "type":"keyword"
                },
                "hostPort":{
                    "type":"integer"
                },
                "addr":{
                    "type":"keyword"
                },
                "nodeID":{
                    "type":"keyword"
                },
                "user":{
                    "type":"keyword"
                },
                "height":{
                    "type":"integer"
                },
                "status":{
                    "type":"short"
                },
                "updatedAt":{
                    "format":"yyyy-MM-dd HH:mm:ss",
                    "type":"date"
                }
            }
        }
    }
}

data:

POST certdata-blockchainnodedetect/_doc
{
  "updatedAt": "2023-02-17 09:53:23",
  "createdAt": "2023-02-17 09:53:23",
  "nodeID": "blockchainDetection_btcd_1001",
  "addr": "64.44.118.194:48442",
  "srcAddr": "176.126.167.10:8334",
  "status": 1,
  "type": 2,
  "version": "0",
  "user": "",
  "os": "",
  "cloudPlatform": "",
  "nodeType": "",
  "isFullNode": false,
  "height": 0,
  "hostIP": "64.44.118.194",
  "hostPort": 48442,
  "netProtocol": 1,
  "country": "未知地区",
  "province": "未知地区",
  "city": "未知地区"
}

Search Query:

GET certdata-blockchainnodedetect/_search
{
  "size": 0, 
  "aggs": {
    "aggIp": {
      "terms": {
        "field": "hostIP",
        "size": 2,
         "min_doc_count": 2 // 取doc_count>2的桶
      },
      "aggs": {
        "aggType": {
          "terms": {
            "field": "type",
            "size": 2,
            "min_doc_count": 1 // 取doc_count>1的桶
          }
        }
      }
    }
  },
  "track_total_hits":true
}

Search Result:

"aggregations" : {
    "aggIp" : {
      "doc_count_error_upper_bound" : 29,
      "sum_other_doc_count" : 145467,
      "buckets" : [
        {
          "key" : "64.44.118.194",
          "doc_count" : 31,
          "aggType" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : 1,
                "doc_count" : 30
              },
              {
                "key" : 2,
                "doc_count" : 1
              }
            ]
          }
        },
        {
          "key" : "107.175.102.74",
          "doc_count" : 29,
          "aggType" : {
            "doc_count_error_upper_bound" : 0,
            "sum_other_doc_count" : 0,
            "buckets" : [
              {
                "key" : 1,
                "doc_count" : 29
              }
            ]
          }
        }
      ]
    }
  }

例四

ES操作之总和桶聚合(Sum Bucket Aggregation)
使用场景: 获取某分组条件下所有桶的指定度量的和
比如: 根据某个条件分组,获取前1000条数据出现的数量和.
https://www.cnblogs.com/nysd/p/12858355.html

例五

elasticsearch 聚合分桶之后,获取桶的总数及统计
https://www.codenong.com/c3130039/

例六

查时间5年之内 && 国家为GB && 类型为软件
聚合一级分类
子聚合 二级分类、产品、公司

mapping

{
  "test" : {
    "mappings" : {
      "properties" : {
        "asn" : {
          "dynamic" : "true",
          "properties" : {
            "number" : {
              "type" : "long"
            },
            "organization" : {
              "type" : "keyword"
            }
          }
        },
        "banner" : {
          "type" : "text"
        },
        "base_protocol" : {
          "type" : "keyword"
        },
        "body" : {
          "type" : "text"
        },
        "cert" : {
          "type" : "text"
        },
        "certs" : {
          "dynamic" : "true",
          "properties" : {
            "cert_date" : {
              "type" : "date",
              "format" : "yyyy-MM-dd HH:mm:ss"
            },
            "cert_num" : {
              "type" : "integer"
            },
            "domain" : {
              "type" : "keyword"
            },
            "is_valid" : {
              "type" : "boolean"
            },
            "issuer_cn" : {
              "type" : "keyword"
            },
            "issuer_cns" : {
              "type" : "keyword"
            },
            "issuer_org" : {
              "type" : "keyword"
            },
            "not_after" : {
              "type" : "date",
              "format" : "yyyy-MM-dd HH:mm:ss"
            },
            "not_before" : {
              "type" : "date",
              "format" : "yyyy-MM-dd HH:mm:ss"
            },
            "sig_alth" : {
              "type" : "keyword"
            },
            "sn" : {
              "type" : "keyword"
            },
            "subject_cn" : {
              "type" : "keyword"
            },
            "subject_cns" : {
              "type" : "keyword"
            },
            "subject_org" : {
              "type" : "keyword"
            },
            "valid_type" : {
              "type" : "keyword"
            }
          }
        },
        "create_at" : {
          "type" : "date",
          "format" : "yyyy-MM-dd HH:mm:ss"
        },
        "critical" : {
          "dynamic" : "true",
          "properties" : {
            "category" : {
              "type" : "keyword"
            },
            "parent_category" : {
              "type" : "keyword"
            }
          }
        },
        "dbs" : {
          "dynamic" : "true",
          "properties" : {
            "count" : {
              "type" : "long"
            },
            "db_size" : {
              "type" : "long"
            },
            "name" : {
              "type" : "keyword"
            },
            "records" : {
              "type" : "long"
            },
            "version" : {
              "type" : "keyword"
            }
          }
        },
        "domain" : {
          "type" : "keyword"
        },
        "favicon" : {
          "dynamic" : "true",
          "properties" : {
            "base64" : {
              "type" : "text"
            },
            "hash" : {
              "type" : "text"
            },
            "url" : {
              "type" : "keyword"
            }
          }
        },
        "geoip" : {
          "dynamic" : "true",
          "properties" : {
            "city" : {
              "type" : "keyword"
            },
            "continent" : {
              "type" : "keyword"
            },
            "coordinate" : {
              "type" : "geo_point"
            },
            "country" : {
              "type" : "keyword"
            },
            "country_name" : {
              "type" : "keyword"
            },
            "isp" : {
              "type" : "keyword"
            },
            "latitude" : {
              "type" : "double"
            },
            "longitude" : {
              "type" : "double"
            },
            "region" : {
              "type" : "keyword"
            },
            "timezone" : {
              "type" : "keyword"
            }
          }
        },
        "header" : {
          "type" : "text"
        },
        "host" : {
          "type" : "keyword"
        },
        "hostnames" : {
          "type" : "keyword"
        },
        "id" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "ip" : {
          "type" : "ip"
        },
        "os" : {
          "type" : "keyword"
        },
        "port" : {
          "type" : "integer"
        },
        "products" : {
          "type" : "nested",
          "dynamic" : "true",
          "properties" : {
            "category" : {
              "type" : "keyword"
            },
            "company" : {
              "type" : "keyword"
            },
            "level" : {
              "type" : "integer"
            },
            "parent_category" : {
              "type" : "keyword"
            },
            "product" : {
              "type" : "keyword"
            },
            "softhard" : {
              "type" : "keyword"
            },
            "version" : {
              "type" : "keyword"
            }
          }
        },
        "protocol" : {
          "type" : "keyword"
        },
        "server" : {
          "type" : "text"
        },
        "subdomain" : {
          "type" : "keyword"
        },
        "type" : {
          "type" : "keyword"
        },
        "update_at" : {
          "type" : "date",
          "format" : "yyyy-MM-dd HH:mm:ss"
        },
        "vulnerabilities" : {
          "type" : "nested",
          "dynamic" : "true",
          "properties" : {
            "cnnvd_id" : {
              "type" : "keyword"
            },
            "cnvd_id" : {
              "type" : "keyword"
            },
            "cve_id" : {
              "type" : "keyword"
            },
            "third_id" : {
              "type" : "keyword"
            },
            "vul_id" : {
              "type" : "keyword"
            },
            "vul_level" : {
              "type" : "integer"
            },
            "vul_name" : {
              "type" : "keyword"
            },
            "vul_scan_at" : {
              "type" : "date",
              "format" : "yyyy-MM-dd HH:mm:ss"
            },
            "vul_type" : {
              "type" : "keyword"
            },
            "vul_url" : {
              "type" : "keyword"
            }
          }
        }
      }
    }
  }
}

数据

{
        "_index" : "test",
        "_type" : "_doc",
        "_id" : "147.20.51.63:47413",
        "_score" : 1.0,
        "_source" : {
          "id" : "147.20.51.63:47413",
          "create_at" : "2023-03-08 10:40:15",
          "update_at" : "2023-03-08 10:40:15",
          "type" : "zoomeye",
          "ip" : "147.20.51.63",
          "port" : 47413,
          "protocol" : "ssh",
          "base_protocol" : "",
          "geoip" : {
            "isp" : "ProPublica",
            "city" : "Baton Rouge",
            "region" : "Tucson",
            "country" : "MU",
            "country_name" : "Western Sahara",
            "continent" : "Europe",
            "timezone" : "E. South America Standard Time",
            "longitude" : -160.311844,
            "latitude" : 59.053322
          },
          "host" : "directsolutions.info",
          "hostnames" : [
            "seniore-markets.name"
          ],
          "domain" : [
            "futureout-of-the-box.name"
          ],
          "subdomain" : [
            "globalrelationships.io"
          ],
          "os" : [
            "Magentakey",
            "humanscale.net"
          ],
          "server" : "MediumVioletRedwater 2.12.8",
          "header" : "",
          "banner" : "",
          "body" : "",
          "cert" : "",
          "certs" : {
            "cert_date" : "1908-09-18 14:56:22",
            "cert_num" : 62116,
            "domain" : "regionalmethodologies.com",
            "is_valid" : true,
            "issuer_cn" : "Loqate, Inc.",
            "issuer_cns" : [
              "Abt Associates"
            ],
            "issuer_org" : "PowerAdvocate",
            "not_after" : "1987-01-25 17:11:33",
            "not_before" : "2023-05-05 22:09:38",
            "sig_alth" : "476798901",
            "sn" : "792605713",
            "subject_cn" : "Deloitte",
            "subject_cns" : [
              "Aidin"
            ],
            "subject_org" : "FarmLogs",
            "valid_type" : "banh mi"
          },
          "critical" : null,
          "asn" : {
            "number" : "363979346",
            "organization" : "Ez-XBRL"
          },
          "products" : [
            {
              "product" : "DarkCyanpod",
              "level" : 9,
              "category" : "MistyRosehost",
              "parent_category" : "Dinosaurhad",
              "softhard" : "2",
              "company" : "Equilar",
              "version" : "4.7.1"
            }
          ],
          "dbs" : {
            "name" : "Orangelie",
            "version" : "4.5.20",
            "count" : 3277458818733511498,
            "db_size" : -4909779963776056562,
            "records" : 6346730448776087845
          },
          "favicon" : {
            "base64" : "If we deconstruct the matrix, we can get to the HDD hard drive through the multi-byte HTTP protocol!",
            "hash" : "Overriding the program won't do anything, we need to bypass the primary IB bandwidth!",
            "url" : "https://www.forwardenhance.net/strategic"
          },
          "vulnerabilities" : null
        }
      }

查询

# 查时间5年之内 && 国家为GB && 类型为软件 
# 聚合一级分类
# 子聚合 二级分类、产品、公司
GET test/_search
{
  "size": 0,
  "query": {
    "constant_score": {
      "boost": 1.2,
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            },
            {
              "term": {
                "geoip.country": "GB"
              }
            },
            {
              "nested": {
                "path": "products",
                "query": {
                  "bool": {
                    "must": [
                      {
                        "term": {
                          "products.softhard": {
                            "value": "2"
                          }
                        }
                      }
                    ]
                  }
                }
              }
            }
          ]
        }
      }
    }
  },
  "aggs": {
    "productsGroup": {
      "nested": {
        "path": "products"
      },
      "aggs": {
        "first_category": {
          "terms": {
            "field": "products.parent_category",
            "order": [
              {
                "_count": "desc"
              }
            ],
            "size": 50
          },
          "aggs": {
            "company": {
              "terms": {
                "field": "products.company",
                "order": [
                  {
                    "_count": "desc"
                  }
                ],
                "size": 50
              }
            },
            "product": {
              "terms": {
                "field": "products.product",
                "order": [
                  {
                    "_count": "desc"
                  }
                ],
                "size": 50
              }
            },
            "second_category": {
              "terms": {
                "field": "products.category",
                "order": [
                  {
                    "_count": "desc"
                  }
                ],
                "size": 50
              }
            }
          }
        }
      }
    }
  }
}

go代码片断

func (m *metaDataService) WorldAllDataService(ctx context.Context, in *model.WorldAllDataInput) (resp *elasticCore.SearchResult, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.WorldAllDataService")
    defer span.End()


    // 开放端口的城市分布
    filters := []*Filters{
        &Filters{
            Qu:       "update_at",
            Wildcard: ">=",
            T:        "now-5y",
        },
    }
    if len(in.CateCountryCode) > 0 {
        filters = append(filters, &Filters{
            Qu:       "geoip.country",
            Wildcard: "",
            T:        strings.ToUpper(in.CateCountryCode),
        })
    }
    // 组装查询条件
    query := elasticCore.NewBoolQuery()
    query = buildFilters(ctx, query, filters)
    query = query.Must(
        elasticCore.NewNestedQuery(
            "products",
            elasticCore.NewBoolQuery().
                Must(
                    elasticCore.NewTermQuery("products.softhard", 2),
                ),
        ),
    )
    q := elasticCore.NewConstantScoreQuery(query).Boost(1.2)
    sourceQ2, _ := q.Source()
    fofacore.PrintQuery(sourceQ2)

    // 聚合
    firstCategoryAgg := elasticCore.NewTermsAggregation().Field("products.parent_category").Size(50).OrderByCountDesc().
        SubAggregation("second_category", elasticCore.NewTermsAggregation().Field("products.category").Size(50).OrderByCountDesc()).
        SubAggregation("company", elasticCore.NewTermsAggregation().Field("products.company").Size(50).OrderByCountDesc()).
        SubAggregation("product", elasticCore.NewTermsAggregation().Field("products.product").Size(50).OrderByCountDesc())

    nestedAgg := elasticCore.NewNestedAggregation().Path("products").
        SubAggregation("first_category", firstCategoryAgg)

    // print esquery
    sourceQ1, _ := nestedAgg.Source()
    fofacore.PrintQuery(sourceQ1)

    // 查询结果
    res, err := EsClient(string(ast.EsMetadata)).
        Size(0).
        Query(q).
        Aggregation("productsGroup", nestedAgg).
        Pretty(true).
        Do(context.Background())

    //glog.Info(ctx, "res:", res)

    // 返回结果
    return res, err
}


// 组装参数
func buildFilters(ctx context.Context, query *elasticCore.BoolQuery, filters []*Filters) (filersQuery *elasticCore.BoolQuery) {

    for i := range filters {
        if filters[i].Qu != "" || filters[i].T != "" {
            switch filters[i].Wildcard {
            case "=":
                query = query.Must(elasticCore.NewTermQuery(filters[i].Qu, filters[i].T))
            case "in":
                values := filters[i].T.([]string)
                tmpInter := make([]interface{}, 0)

                for v := range values {
                    tmpInter = append(tmpInter, values[v])
                }

                query = query.Must(elasticCore.NewTermsQuery(filters[i].Qu, tmpInter...))
            case "!=":
                query = query.MustNot(elasticCore.NewTermQuery(filters[i].Qu, filters[i].T))
            case ">=":
                query = query.Must(elasticCore.NewRangeQuery(filters[i].Qu).Gte(filters[i].T))
            case "<=":
                query = query.Must(elasticCore.NewRangeQuery(filters[i].Qu).Lte(filters[i].T))
            case "range":
                // filters[i].T = "now-5y,now"
                ts := strings.Split(filters[i].T.(string), ",")
                query = query.Must(elasticCore.NewRangeQuery(filters[i].Qu).Gte(ts[0]).Lte(ts[1]))
            default:
                query = query.Must(elasticCore.NewTermQuery(filters[i].Qu, filters[i].T))
            }
        }
    }

    return query
}


// PrintQuery 自定义es query打印函数
func PrintQuery(src interface{}) {
    log.Println("*****")
    data, err := json.MarshalIndent(src, "", "  ")
    if err != nil {
        panic(err)
    }
    log.Println(string(data))
}

type Filters struct {
    Qu       string      // 字段名 如: is_ipv6
    Wildcard string      //通配符 如: “=”   “!=”  ">=" "<=" "in"
    T        interface{} //搜索值 如: false, 当Wildcard 为 range时 T= "now-5y,now",
}

结果

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "productsGroup" : {
      "doc_count" : 1,
      "first_category" : {
        "doc_count_error_upper_bound" : 0,
        "sum_other_doc_count" : 0,
        "buckets" : [
          {
            "key" : "Eleganceare",
            "doc_count" : 1,
            "product" : {
              "doc_count_error_upper_bound" : 0,
              "sum_other_doc_count" : 0,
              "buckets" : [
                {
                  "key" : "DarkVioletpack",
                  "doc_count" : 1
                }
              ]
            },
            "second_category" : {
              "doc_count_error_upper_bound" : 0,
              "sum_other_doc_count" : 0,
              "buckets" : [
                {
                  "key" : "PeachPuffdentist",
                  "doc_count" : 1
                }
              ]
            },
            "company" : {
              "doc_count_error_upper_bound" : 0,
              "sum_other_doc_count" : 0,
              "buckets" : [
                {
                  "key" : "AllState Insurance Group",
                  "doc_count" : 1
                }
              ]
            }
          }
        ]
      }
    }
  }
}

例七

数据同例六

要求:查五年以内 domain去重后的总数

esQuery查询

GET metadata/_search
{
  "size": 0,
  "query": {
    "bool": {
      "must": {
        "range": {
          "update_at": {
            "from": "now-5y",
            "include_lower": true,
            "include_upper": true,
            "to": null
          }
        }
      }
    }
  },
  "aggs": {
    "domain": {
      "cardinality": {
        "field": "domain"
        , "precision_threshold": 4000
      }
    }
  }
}

go代码片断

//DomainTotalService  domain去重总数
func (m *metaDataService) DomainTotalService(ctx context.Context, in *model.DomainTotalInput) (cardinalityCount int, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.DomainTotalService")
    defer span.End()

    span.SetAttributes(
        attribute.String("MetaData.DomainTotalService.CateCountryCode", in.CateCountryCode),
    )

    //var key = "index_fofa_world_CS_total"
    //if len(in.CateCountryCode) > 0 {
    //    key += in.CateCountryCode
    //}

    // 开放端口的城市分布
    filters := []*Filters{
        &Filters{
            Qu:       "update_at",
            Wildcard: ">=",
            T:        "now-5y",
        },
    }
    if len(in.CateCountryCode) > 0 {
        filters = append(filters, &Filters{
            Qu:       "geoip.country",
            Wildcard: "",
            T:        strings.ToUpper(in.CateCountryCode),
        })
    }
    cardinalityCount, err = m.GetCardinalityAggs(ctx, "domain", filters)
    glog.Info(ctx, "cardinalityCount:", cardinalityCount)

    // 返回结果
    return cardinalityCount, err
}


// GetCardinalityAggs 聚合数据(去重)总数
func (m *metaDataService) GetCardinalityAggs(ctx context.Context, aggField string, filters []*Filters) (groupByNestedCount int, err error) {

    // 获取去重的字段数量(通用)
    cardinalityAggCount := elasticCore.NewCardinalityAggregation().
        Field(aggField).
        PrecisionThreshold(4000)
    //Rehash(true)

    // print esquery
    sourceQ1, _ := cardinalityAggCount.Source()
    fofacore.PrintQuery(sourceQ1)

    query := elasticCore.NewBoolQuery()

    // 组装查询条件
    query = buildFilters(ctx, query, filters)
    q := elasticCore.NewConstantScoreQuery(query).Boost(1.2)
    sourceQ2, _ := q.Source()
    fofacore.PrintQuery(sourceQ2)

    // 查询结果
    res, err := EsClient(string(ast.EsMetadata)).
        Size(0).
        Query(q).
        Aggregation("cardinalityCount", cardinalityAggCount).
        Pretty(true).
        Do(context.Background())
    // 取数据

    aggsGroup, _ := res.Aggregations.Terms("cardinalityCount")
    for _, bucket := range aggsGroup.Aggregations {
        marshalJSON, _ := bucket.MarshalJSON()
        groupByNestedCount, err = strconv.Atoi(string(marshalJSON))
    }
    return
}

结果

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 53,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "companyGroup" : {
      "doc_count" : 53,
      "company" : {
        "value" : 0
      }
    }
  }
}

例八

数据同例六

companynested 属性
要求:查五年以内 company 去重后的总数

esQuery查询

GET metadata/_search
{
  "size": 0, 
  "query": {
    "bool": {
      "must": {
        "range": {
          "update_at": {
            "from": "now-5y",
            "include_lower": true,
            "include_upper": true,
            "to": null
          }
        }
      }
    }
  },
  "aggs": {
    "companyGroup": {
      "nested": {
        "path": "products"
      },
      "aggs": {
        "company": {
          "cardinality": {
            "field": "products.company",
            "precision_threshold": 4000
          }
        }
      }
    }
  }
}

go代码断片


//WorldCsTotalService 当前区域厂商总数 company 去重总数
func (m *metaDataService) WorldCsTotalService(ctx context.Context, in *model.WorldCsTotalResInput) (cardinalityCount int, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.WorldCsTotalService")
    defer span.End()

    span.SetAttributes(
        attribute.String("MetaData.WorldCsTotalService.CateCountryCode", in.CateCountryCode),
    )

    //var key = "index_fofa_world_CS_total"
    //if len(in.CateCountryCode) > 0 {
    //    key += in.CateCountryCode
    //}
    // 开放端口的城市分布
    filters := []*Filters{
        &Filters{
            Qu:       "update_at",
            Wildcard: ">=",
            T:        "now-5y",
        },
    }
    if len(in.CateCountryCode) > 0 {
        filters = append(filters, &Filters{
            Qu:       "geoip.country",
            Wildcard: "",
            T:        strings.ToUpper(in.CateCountryCode),
        })
    }
    cardinalityCount, err = m.GetCardinalityNestedAggs(ctx, "products.company", filters)
    glog.Info(ctx, "cardinalityCount:", cardinalityCount)

    // 返回结果
    return cardinalityCount, err
}

// GetCardinalityNestedAggs Nested的聚合数据(去重)总数

func (m *metaDataService) GetCardinalityNestedAggs(ctx context.Context, aggField string, filters []*Filters) (groupByNestedCount int, err error) {

    subAgg := elasticCore.NewCardinalityAggregation().
        Field(aggField).
        PrecisionThreshold(4000)

    // Nested聚合
    sn := elasticCore.NewNestedAggregation()
    sn.Path("products")
    sn.SubAggregation("group_by_nested", subAgg)
    // print esquery
    sourceQ1, _ := sn.Source()
    fofacore.PrintQuery(sourceQ1)

    query := elasticCore.NewBoolQuery()

    // 组装查询条件
    query = buildFilters(ctx, query, filters)
    q := elasticCore.NewConstantScoreQuery(query).Boost(1.2)

    sourceQ2, _ := q.Source()
    fofacore.PrintQuery(sourceQ2)

    // 查询结果
    res, err := EsClient(string(ast.EsMetadata)).
        Size(0).
        Query(q).
        Aggregation("aggs", sn).
        Pretty(true).
        Do(context.Background())
    // 取数据
    aggsGroup, _ := res.Aggregations.Terms("aggs")
    groupByNestedAgg, _ := aggsGroup.Aggregations.Terms("group_by_nested")

    for _, bucket := range groupByNestedAgg.Aggregations {
        marshalJSON, _ := bucket.MarshalJSON()
        groupByNestedCount, err = strconv.Atoi(string(marshalJSON))
    }
    return
}

结果

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 53,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "companyGroup" : {
      "doc_count" : 53,
      "company" : {
        "value" : 47
      }
    }
  }
}

例九

sum的value就是分组的os桶的doc_count之和
DSL

GET metadata/_search
{
  "size": 0,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "term": {
                "critical.parent_category": "市政"
              }
            },
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  },
  "aggs": {
    "port": {
      "terms": {
        "field": "port",
        "size": 5
      }
    },

    "protocol": {
      "terms": {
        "field": "protocol",
        "size": 5
      }
    },
    "os": {
      "terms": {
        "field": "os",
        "size": 10
      }
    },
    "sum":{
      "sum_bucket": {
        "buckets_path": "os>_count"
      }
    }, 
    "country": {
      "terms": {
        "field": "geoip.country_name",
        "size": 10
      }
    },
    "city": {
      "terms": {
        "field": "geoip.city",
        "size": 10
      }
    }
  }
}

结果:

{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 2,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "country" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Angola",
          "doc_count" : 2
        }
      ]
    },
    "protocol" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "ssh",
          "doc_count" : 2
        }
      ]
    },
    "os" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Pairhad",
          "doc_count" : 2
        },
        {
          "key" : "seniormarkets.io",
          "doc_count" : 2
        }
      ]
    },
    "city" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Boise",
          "doc_count" : 2
        }
      ]
    },
    "port" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : 53520,
          "doc_count" : 2
        }
      ]
    },
    "sum" : {
      "value" : 4.0
    }
  }
}

例十

sum的value就是分组的first_category桶的doc_count之和
DSL

GET metadata/_search
{
  "size": 0,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  },
  "aggs": {
    "productsGroup": {
      "nested": {
        "path": "products"
      },
      "aggs": {
        "parent_category": {
          "terms": {
            "field": "products.parent_category",
            "size": 50
          }
        },
         "sum": {
          "sum_bucket": {
            "buckets_path": "parent_category>_count"
          }
        }
      }

    }
  }
}

gocode 例九例十代码片断


func (m *metaDataService) CateChartService(ctx context.Context, in *model.CateChartInput) (list map[string][]model.AggItemV, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.CateChartService")
    defer span.End()

    if len(in.Fields) == 0 {
        in.Fields = consts.MetaAggAllFields
    }
    if in.TopN == 0 {
        in.TopN = 10
    }

    aggFieldArr := strings.Split(in.Fields, ",")
    query := elasticCore.NewBoolQuery()

    // 生成es查询语句
    filters := []*Filters{
        &Filters{
            Qu:       "update_at",
            Wildcard: ">=",
            T:        "now-5y",
        },
    }
    // 组装查询条件
    query = buildFilters(ctx, query, filters)
    if len(in.CPCate) > 0 {
        query = m.buildEsQueryService(ctx, "c_parent_category", in.CPCate)
    }

    q := elasticCore.NewConstantScoreQuery(query).Boost(1.2)

    sourceQ2, _ := q.Source()
    fofacore.PrintQuery(sourceQ2)
    // 聚合
    var csr = make([]model.AggItemV, 0)
    var listMap = make(map[string][]model.AggItemV, 0)
    for _, field := range aggFieldArr {
        switch field {
        case "port", "os", "protocol",
            "country", "country_name", "region", "city":
            csr, err = m.AggWithFieldService(ctx, field, in.TopN, q)
            if err != nil {
                glog.Errorf(ctx, "m.AggWithFieldService failed, srField:[%v] err:[%v] ", field, err)
            }
            listMap[field] = csr

        case "product", "level", "category", "parent_category", "softhard", "company":
            csr, err = m.AggWithFieldNestedService(ctx, field, in.TopN, q)
            if err != nil {
                glog.Errorf(ctx, "m.AggWithFieldNestedService failed,srField:[%v] err:[%v]", field, err)
            }
            listMap[field] = csr
        default:

        }
    }

    //glog.Info(ctx, "listMap:", listMap)

    // 返回结果
    return listMap, err
}





// AggItemV ========================================
type AggItemV struct {
    Name    string  `json:"name"`
    Value   int64   `json:"value"`
    Percent float64 `json:"percent"`
}


// 生成es查询语句
func (m *metaDataService) buildEsQueryService(ctx context.Context, serachFields, value string) (esQuery *elasticCore.BoolQuery) {

    serachFieldArr := strings.Split(serachFields, ",")

    query := elasticCore.NewBoolQuery()
    var filters []*Filters
    for _, field := range serachFieldArr {
        switch field {
        case "c_parent_category":
            filters = append(filters, &Filters{
                Qu:       "critical.parent_category",
                Wildcard: "",
                T:        value,
            })
        case "c_category":
            filters = append(filters, &Filters{
                Qu:       "critical.c_category",
                Wildcard: "",
                T:        value,
            })
        case "port", "os", "protocol":
            filters = append(filters, &Filters{
                Qu:       field,
                Wildcard: "",
                T:        value,
            })
        case "country":
            filters = append(filters, &Filters{
                Qu:       "geoip." + field,
                Wildcard: "",
                T:        strings.ToUpper(value),
            })
        case "country_name", "region", "city":
            filters = append(filters, &Filters{
                Qu:       "geoip." + field,
                Wildcard: "",
                T:        value,
            })
        case "product", "level", "category", "parent_category", "softhard", "company":
            query = query.Must(
                elasticCore.NewNestedQuery(
                    "products",
                    elasticCore.NewBoolQuery().
                        Must(
                            elasticCore.NewTermQuery("products."+value, value),
                        ),
                ),
            )
        default:
            filters = append(filters, &Filters{
                Qu:       value,
                Wildcard: "",
                T:        value,
            })
        }

    }
    // 组装查询条件
    query = buildFilters(ctx, query, filters)

    return query
}

type Filters struct {
    Qu       string      // 字段名 如: is_ipv6
    Wildcard string      //通配符 如: “=”   “!=”  ">=" "<=" "in"
    T        interface{} ////搜索值 如: false, 当Wildcard 为 range时 T= "now-5y,now",
}

//AggWithFieldService 指定字段聚合
func (m *metaDataService) AggWithFieldService(ctx context.Context, aggField string, aggFieldSize int, esQuery *elasticCore.ConstantScoreQuery) (csr []model.AggItemV, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.AggWithFieldService")
    defer span.End()

    // 组装查询条件

    // 聚合
    var aggFieldNameMap = map[string]string{
        "port":         "port",
        "os":           "os",
        "protocol":     "protocol",
        "country":      "geoip.country",
        "country_name": "geoip.country_name",
        "region":       "geoip.region",
        "city":         "geoip.city",
    }
    aggFieldQ := aggField
    if _, ok := aggFieldNameMap[aggField]; ok {
        aggFieldQ = aggFieldNameMap[aggField]
    }

    aggQ := elasticCore.NewTermsAggregation().Field(aggFieldQ).Size(aggFieldSize).OrderByCountDesc()

    sourceQ1, _ := aggQ.Source()
    fofacore.PrintQuery(sourceQ1)

    aggSumQ := elasticCore.NewSumBucketAggregation().BucketsPath(aggField + ">_count")
    sourceQ2, _ := aggSumQ.Source()
    fofacore.PrintQuery(sourceQ2)

    // 查询结果
    res, err := EsClient(string(ast.EsMetadata)).
        Size(0).
        Query(esQuery).
        Aggregation(aggField, aggQ).
        Aggregation("sum", aggSumQ).
        Pretty(true).
        Do(context.Background())
    if err != nil {
        glog.Errorf(ctx, "AggWithFieldService esquery failed: err:[%v]", err)
    }
    group, _ := res.Aggregations.Terms(aggField)
    sumGroup, _ := res.Aggregations.Terms("sum")
    var total float64 = 0
    for _, bucket := range sumGroup.Aggregations {
        marshalJSON, _ := bucket.MarshalJSON()
        total, _ = strconv.ParseFloat(string(marshalJSON), 64)
    }

    if len(group.Aggregations) == 0 {
        return
    }

    var result []model.AggItemV
    for _, cList := range group.Buckets {
        var resultItem model.AggItemV

        if key, ok := cList.Key.(string); ok {
            resultItem.Name = key
        } else if key, ok := cList.Key.(float64); ok {
            resultItem.Name = strconv.Itoa(int(key))
        } else if key, ok := cList.Key.(interface{}); ok {
            resultItem.Name = convertor.ToString(key)
        }

        resultItem.Value = cList.DocCount
        if proportion, err := strconv.ParseFloat(fmt.Sprintf("%.2f", float64(cList.DocCount)/total*100), 64); err == nil {
            resultItem.Percent = proportion
        }

        result = append(result, resultItem)
    }

    //glog.Info(ctx, "result:", result)

    // 返回结果
    return result, err
}

//AggWithFieldNestedService 指定字段聚合Nested属性
func (m *metaDataService) AggWithFieldNestedService(ctx context.Context, aggField string, aggFieldSize int, esQuery *elasticCore.ConstantScoreQuery) (csr []model.AggItemV, err error) {
    ctx, span := gtrace.NewSpan(ctx, "MetaData.AggWithFieldNestedService")
    defer span.End()

    // 组装查询条件

    // 聚合
    var aggFieldNameMap = map[string]string{
        "product":         "products.product",
        "level":           "products.level",
        "category":        "products.category",
        "parent_category": "products.parent_category",
        "softhard":        "products.softhard",
        "company":         "products.company",
    }
    var pathNameMap = map[string]string{
        "product":         "products",
        "level":           "products",
        "category":        "products",
        "parent_category": "products",
        "softhard":        "products",
        "company":         "products",
    }

    aggSumQ := elasticCore.NewSumBucketAggregation().BucketsPath(aggField + ">_count")
    //sourceQ2, _ := aggSumQ.Source()
    //fofacore.PrintQuery(sourceQ2)

    categoryAgg := elasticCore.NewTermsAggregation().Field(aggFieldNameMap[aggField]).Size(aggFieldSize).OrderByCountDesc()
    nestedAgg := elasticCore.NewNestedAggregation().Path(pathNameMap[aggField]).
        SubAggregation(aggField, categoryAgg).
        SubAggregation("sum", aggSumQ)

    sourceQ1, _ := nestedAgg.Source()
    fofacore.PrintQuery(sourceQ1)

    // 查询结果
    res, err := EsClient(string(ast.EsMetadata)).
        Size(0).
        Query(esQuery).
        Aggregation("group", nestedAgg).
        Pretty(true).
        Do(context.Background())

    if err != nil {
        glog.Errorf(ctx, "AggWithFieldNestedService esquery failed: err:[%v]", err)
    }

    countryGroup, _ := res.Aggregations.Terms("group")
    category, _ := countryGroup.Aggregations.Terms(aggField)

    sumAgg, _ := countryGroup.Aggregations.Terms("sum")
    var total float64 = 0
    for _, bucket := range sumAgg.Aggregations {
        marshalJSON, _ := bucket.MarshalJSON()
        total, err = strconv.ParseFloat(string(marshalJSON), 64)
    }

    if len(countryGroup.Aggregations) == 0 {
        return
    }

    var result []model.AggItemV
    for _, cList := range category.Buckets {
        var resultItem model.AggItemV
        resultItem.Name = cList.Key.(string)
        resultItem.Value = cList.DocCount
        if proportion, err := strconv.ParseFloat(fmt.Sprintf("%.2f", float64(cList.DocCount)/total*100), 64); err == nil {
            resultItem.Percent = proportion
        }

        result = append(result, resultItem)
    }

    //glog.Info(ctx, "result:", result)

    // 返回结果
    return result, err
}

结果:

{
  "took" : 52,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 183,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "productsGroup" : {
      "doc_count" : 184,
      "first_category" : {
        "doc_count_error_upper_bound" : 0,
        "sum_other_doc_count" : 0,
        "buckets" : [
          {
            "key" : "服务器管理产品",
            "doc_count" : 19
          },
          {
            "key" : "其他类型",
            "doc_count" : 16
          },
          {
            "key" : "服务器软件",
            "doc_count" : 16
          },
          {
            "key" : "行业产品",
            "doc_count" : 16
          },
          {
            "key" : "服务器设备",
            "doc_count" : 15
          },
          {
            "key" : "Web组件",
            "doc_count" : 14
          },
          {
            "key" : "企业应用软件",
            "doc_count" : 14
          },
          {
            "key" : "云平台软件",
            "doc_count" : 13
          },
          {
            "key" : "设备模块",
            "doc_count" : 13
          },
          {
            "key" : "存储设备",
            "doc_count" : 11
          },
          {
            "key" : "网络交换设备",
            "doc_count" : 11
          },
          {
            "key" : "物联网设备",
            "doc_count" : 10
          },
          {
            "key" : "网络安全产品",
            "doc_count" : 9
          },
          {
            "key" : "办公外设",
            "doc_count" : 7
          }
        ]
      },
      "sum" : {
        "value" : 184.0
      }
    }
  }
}

例十一 查不为null 或者 为null 的数据

# vulnerabilities字段(nested属性数组的) 不为null的或者空的
GET metadata/_search
{
  "query": {
    "nested": {
      "path": "vulnerabilities",
      "query": {
        "bool": {
          "must": {
            "exists": {
              "field": "vulnerabilities"
            }
          }
        }
      }
    }
  }
}

# vulnerabilities字段(nested属性数组的) 为null的 或者空的
POST /metadata/_doc/_search
{
  "query": {
    "bool": {
      "must_not": [
        {
          "exists": {
            "field": "vulnerabilities"
          }
        }
      ]
    }
  }
}


# critical字段(对像类型字段) 不为null的
GET metadata/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "exists": {
            "field": "critical"
          }
        }
      ]
    }
  }
}

# critical字段(对像类型字段) 为null的
GET metadata/_search
{
  "query": {
    "bool": {
      "must_not": [
        {
          "exists": {
            "field": "critical"
          }
        }
      ]
    }
  }
}

# 需要查询出critical 不为 null 并且 critical.parent_category不为 "" 的数据
GET metadata/_search
{
  "_source": [
    "critical"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "exists": {
            "field": "critical"
          }
        },{
          "bool": {
            "must_not": [
              {
                "term": {
                  "critical.parent_category": {
                    "value": ""
                  }
                }
              }
            ]
          }
        }
      ]
    }
  }
}

# 现需要查询出tags为 "" 或者为 null 的数据
{
  "query": {
    "bool": {
      "must": {
        "match_all": {}
      },
      "filter": [
        {
          "terms": {
            "_id": [
              "ec5db526a7b32bdd1f6ac865cf830436",
              "e0422a0641334293810275a5302b5014"
            ]
          }
        },
        {
          "bool": {
            "should": [
              {
                "term": {
                  "tags": ""
                }
              },
              {
                "bool": {
                  "must_not": [
                    {
                      "exists": {
                        "field": "tags"
                      }
                    }
                  ]
                }
              }
            ]
          }
        }
      ]
    }
  },
  "size": 100,
  "sort": [],
  "_source": [
    "uuid",
    "tags"
  ]
}

inner_hits{} 查出products.softhard为2的数据

# inner_hits{} 查出products.softhard为2的数据
GET metadata/_search
{
  "_source": [
    "products",
    "ip",
    "port"
  ],
  "size": 10,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            },
            {
              "term": {
                "ip": "10.10.11.12"
              }
            },
            {
              "term": {
                "port": "81"
              }
            },
            {
              "nested": {
                "path": "products",
                "query": {
                  "bool": {
                    "must": [
                      {
                        "term": {
                          "products.softhard": {
                            "value": "2"
                          }
                        }
                      }
                    ]
                  }
                },
                "inner_hits": {}
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  }
}

返回数据中多了inner_hits字段,就是筛选出来的结果

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.2,
    "hits" : [
      {
        "_index" : "metadata",
        "_type" : "_doc",
        "_id" : "10.10.11.12:81",
        "_score" : 1.2,
        "_source" : {
          "port" : 81,
          "ip" : "10.10.11.12",
          "products" : [
            {
              "product" : "授权系统",
              "level" : 0,
              "parent_category" : "网络产品",
              "softhard" : "2",
              "company" : "Huawei_rj",
              "category" : "ADSL",
              "version" : ""
            },
            {
              "product" : "路由器AX6 ",
              "level" : 1,
              "parent_category" : "网络产品",
              "softhard" : "1",
              "company" : "Huawei_yj",
              "category" : "ADSL",
              "version" : ""
            },
            {
              "product" : "路由器AX7 ",
              "level" : 1,
              "parent_category" : "网络产品",
              "softhard" : "1",
              "company" : "Huawei_yj",
              "category" : "ADSL",
              "version" : ""
            }
          ]
        },
        "inner_hits" : {
          "products" : {
            "hits" : {
              "total" : {
                "value" : 1,
                "relation" : "eq"
              },
              "max_score" : 7.9944715,
              "hits" : [
                {
                  "_index" : "metadata",
                  "_type" : "_doc",
                  "_id" : "10.10.11.12:81",
                  "_nested" : {
                    "field" : "products",
                    "offset" : 0
                  },
                  "_score" : 7.9944715,
                  "_source" : {
                    "product" : "授权系统",
                    "level" : 0,
                    "parent_category" : "网络产品",
                    "softhard" : "2",
                    "company" : "Huawei_rj",
                    "category" : "ADSL",
                    "version" : ""
                  }
                }
              ]
            }
          }
        }
      }
    ]
  }
}

聚合出products.softhard 为1的数据

# inner_hits https://www.jianshu.com/p/0d6488a8072b
# 聚合出products.softhard 为1的数据
GET metadata/_search
{
  "_source": [
    "products",
    "ip",
    "port"
  ],
  "size": 2,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            },
            {
              "term": {
                "ip": "10.10.11.12"
              }
            },
            {
              "term": {
                "port": "81"
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  },
  "aggs": {
    "companyGroup": {
      "aggs": {
        "filter_softhard": {
          "aggs": {
            "company": {
              "terms": {
                "field": "products.company",
                "order": [
                  {
                    "_count": "desc"
                  }
                ],
                "size": 10
              }
            }
          },
          "filter": {
            "term": {
              "products.softhard": 1
            }
          }
        }
      },
      "nested": {
        "path": "products"
      }
    }
  }
}

返回结果:

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.2,
    "hits" : [
      {
        "_index" : "metadata",
        "_type" : "_doc",
        "_id" : "10.10.11.12:81",
        "_score" : 1.2,
        "_source" : {
          "port" : 81,
          "ip" : "10.10.11.12",
          "products" : [
            {
              "product" : "授权系统",
              "level" : 0,
              "parent_category" : "网络产品",
              "softhard" : "2",
              "company" : "Huawei_rj",
              "category" : "ADSL",
              "version" : ""
            },
            {
              "product" : "路由器AX6 ",
              "level" : 1,
              "parent_category" : "网络产品",
              "softhard" : "1",
              "company" : "Huawei_yj",
              "category" : "ADSL",
              "version" : ""
            },
            {
              "product" : "路由器AX7 ",
              "level" : 1,
              "parent_category" : "网络产品",
              "softhard" : "1",
              "company" : "Huawei_yj",
              "category" : "ADSL",
              "version" : ""
            }
          ]
        }
      }
    ]
  },
  "aggregations" : {
    "companyGroup" : {
      "doc_count" : 3,
      "filter_softhard" : {
        "doc_count" : 2,
        "company" : {
          "doc_count_error_upper_bound" : 0,
          "sum_other_doc_count" : 0,
          "buckets" : [
            {
              "key" : "Huawei_yj",
              "doc_count" : 2
            }
          ]
        }
      }
    }
  }
}

过滤漏洞 “vulnerabilities.vul_name”=””matrix”或”feed” ,并求分桶之合

##过滤漏洞 "vulnerabilities.vul_name"=""matrix"或"feed"  ,并求分桶之合
GET metadata/_search
{
  "_source": [
    "products",
    "ip",
    "port",
    "vulnerabilities"
  ],
  "size": 10,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            },
            {
              "term": {
                "ip": "ae96:c471:5498:2c53:b019:a53d:ff02:8cbb"
              }
            },
            {
              "term": {
                "port": "52131"
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  },
  "aggs": {
    "vulnerabilitiesGroup": {
      "nested": {
        "path": "vulnerabilities"
      },
      "aggs": {
        "vul_name_filter": {
          "filter": {
            "terms": {
              "vulnerabilities.vul_name": ["matrix","feed"]
            }
          },
          "aggs": {
            "vul_name": {
              "terms": {
                "field": "vulnerabilities.vul_name",
                "size": 25
              }
            },
            "sum": {
              "sum_bucket": {
                "buckets_path": "vul_name>_count"
              }
            }
          }
        }
      }
    }
  }
}

返参

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.2,
    "hits" : [
      {
        "_index" : "metadata",
        "_type" : "_doc",
        "_id" : "ae96:c471:5498:2c53:b019:a53d:ff02:8cbb:52131",
        "_score" : 1.2,
        "_source" : {
          "port" : 52131,
          "ip" : "ae96:c471:5498:2c53:b019:a53d:ff02:8cbb",
          "vulnerabilities" : [
            {
              "vul_name" : "feed",
              "third_id" : "",
              "vul_level" : 3,
              "vul_id" : "CNVD.1679481666805",
              "vul_scan_at" : "2023-03-22 17:41:06",
              "cve_id" : "",
              "vul_url" : "http://www.seniormindshare.net/niches/enable/content/relationships",
              "cnvd_id" : "1679481666805",
              "vul_type" : "optical",
              "cnnvd_id" : ""
            },
            {
              "vul_name" : "matrix",
              "third_id" : "1679481666805",
              "vul_level" : 3,
              "vul_id" : "Third.1679481666805",
              "vul_scan_at" : "2023-03-22 17:41:06",
              "cve_id" : "",
              "vul_url" : "http://www.legacyapplications.biz/real-time",
              "cnvd_id" : "",
              "vul_type" : "multi-byte",
              "cnnvd_id" : ""
            },
            {
              "vul_name" : "matrix",
              "third_id" : "",
              "vul_level" : 4,
              "vul_id" : "CVE.1679481666805",
              "vul_scan_at" : "2023-03-22 17:41:06",
              "cve_id" : "1679481666805",
              "vul_url" : "https://www.forwardintuitive.io/dot-com/granular/efficient",
              "cnvd_id" : "",
              "vul_type" : "solid state",
              "cnnvd_id" : ""
            },
            {
              "vul_name" : "application",
              "third_id" : "",
              "vul_level" : 2,
              "vul_id" : "CNVD.1679481666805",
              "vul_scan_at" : "2023-03-22 17:41:06",
              "cve_id" : "",
              "vul_url" : "https://www.customergenerate.biz/engage",
              "cnvd_id" : "1679481666805",
              "vul_type" : "haptic",
              "cnnvd_id" : ""
            },
            {
              "vul_name" : "bandwidth",
              "third_id" : "",
              "vul_level" : 3,
              "vul_id" : "CNNVD.1679481666805",
              "vul_scan_at" : "2023-03-22 17:41:06",
              "cve_id" : "",
              "vul_url" : "http://www.internationalcustomized.net/portals",
              "cnvd_id" : "",
              "vul_type" : "auxiliary",
              "cnnvd_id" : "1679481666805"
            }
          ],
          "products" : [
            {
              "product" : "Combwill",
              "level" : 10,
              "parent_category" : "服务器设备",
              "softhard" : "1",
              "company" : "OptumInsight",
              "category" : "串口服务器",
              "version" : "4.7.7"
            }
          ]
        }
      }
    ]
  },
  "aggregations" : {
    "vulnerabilitiesGroup" : {
      "doc_count" : 5,
      "vul_name_filter" : {
        "doc_count" : 3,
        "vul_name" : {
          "doc_count_error_upper_bound" : 0,
          "sum_other_doc_count" : 0,
          "buckets" : [
            {
              "key" : "matrix",
              "doc_count" : 2
            },
            {
              "key" : "feed",
              "doc_count" : 1
            }
          ]
        },
        "sum" : {
          "value" : 3.0
        }
      }
    }
  }
}

过滤一级数据为空的数据 聚合parent_category下的second_category、company、product

# 过滤一级数据为空的数据  聚合parent_category下的second_category、company、product
GET metadata/_search
{
  "size": 1,
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "update_at": {
                  "from": "now-5y",
                  "include_lower": true,
                  "include_upper": true,
                  "to": null
                }
              }
            },
            {
              "term": {
                "geoip.country": "CN"
              }
            },
            {
              "nested": {
                "path": "products",
                "query": {
                  "bool": {
                    "must_not": [
                      {
                        "term": {
                          "products.parent_category": ""
                        }
                      }
                    ]
                  }
                }
              }
            }
          ]
        }
      },
      "boost": 1.2
    }
  },
  "aggs": {
    "group": {
      "aggregations": {
        "filterAgg": {
          "aggregations": {
            "first_category": {
              "aggregations": {
                "company": {
                  "terms": {
                    "field": "products.company",
                    "order": [
                      {
                        "_count": "desc"
                      }
                    ],
                    "size": 50
                  }
                },
                "product": {
                  "terms": {
                    "field": "products.product",
                    "order": [
                      {
                        "_count": "desc"
                      }
                    ],
                    "size": 50
                  }
                },
                "second_category": {
                  "terms": {
                    "field": "products.category",
                    "order": [
                      {
                        "_count": "desc"
                      }
                    ],
                    "size": 50
                  }
                }
              },
              "terms": {
                "field": "products.parent_category",
                "order": [
                  {
                    "_count": "desc"
                  }
                ],
                "size": 50
              }
            }
          },
          "filter": {
            "bool": {
              "must_not": {
                "term": {
                  "products.parent_category": ""
                }
              }
            }
          }
        }
      },
      "nested": {
        "path": "products"
      }
    }
  }
}

返回

{
  "took" : 8,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1029,
      "relation" : "eq"
    },
    "max_score" : 1.2,
    "hits" : [
      {
        "_index" : "metadata",
        "_type" : "_doc",
        "_id" : "124.63.255.17:6501",
        "_score" : 1.2,
        "_source" : {
          "id" : "124.63.255.17:6501",
          "ip" : "124.63.255.17",
          "create_at" : "2023-03-17 15:52:26",
          "update_at" : "2023-03-17 15:52:26",
          "type" : "metadata",
          "port" : 6500,
          "protocol" : "ssh",
          "base_protocol" : "",
          "geoip" : {
            "isp" : "Fuzion Apps, Inc.",
            "city" : "北京市",
            "region" : "北京",
            "country" : "CN",
            "country_name" : "中国",
            "continent" : "Oceania",
            "timezone" : "Romance Standard Time",
            "longitude" : 113.965229,
            "latitude" : -85.548254
          },
          "host" : "humansynergies.io",
          "hostnames" : [
            "corporateengineer.info"
          ],
          "domain" : [ ],
          "icp" : "",
          "subdomain" : [ ],
          "os" : [
            "Pinkposse",
            "leadvortals.com"
          ],
          "server" : "nginx 2.2.10",
          "title" : "个人银行登录系统 22",
          "header" : "",
          "banner" : "",
          "body" : "",
          "cert" : "",
          "certs" : {
            "cert_date" : "1921-03-31 02:32:29",
            "cert_num" : 25100,
            "domain" : "centralcontent.io",
            "is_valid" : false,
            "issuer_cn" : "Navico",
            "issuer_cns" : [
              "Propeller Health"
            ],
            "issuer_org" : "PowerAdvocate",
            "not_after" : "1944-05-15 09:58:19",
            "not_before" : "1990-07-24 02:31:48",
            "sig_alth" : "787900487",
            "sn" : "260224897",
            "subject_cn" : "PIXIA Corp",
            "subject_cns" : [
              "NextBus"
            ],
            "subject_org" : "Russell Investments",
            "valid_type" : "letterpress"
          },
          "critical" : {
            "parent_category" : "金融",
            "category" : "保险"
          },
          "asn" : {
            "number" : "12580",
            "organization" : "China Mobile"
          },
          "products" : [
            {
              "product" : "Mysql",
              "level" : 2,
              "category" : "数据库",
              "parent_category" : "系统软件",
              "softhard" : "2",
              "company" : "Mysql",
              "version" : "1.14.9"
            },
            {
              "product" : "nginx",
              "level" : 2,
              "category" : "服务代理",
              "parent_category" : "支撑系统",
              "softhard" : "2",
              "company" : "nginx",
              "version" : "1.14.9"
            }
          ],
          "dbs" : { },
          "favicon" : {
            "base64" : "The HDD matrix is down, back up the auxiliary microchip so we can verify the XSS bus!",
            "hash" : "The GB system is down, validate the solid state protocol so we can deconstruct the SSL sensor!",
            "url" : "https://www.regionalend-to-end.org/visionary/monetize/intuitive/e-enable"
          },
          "vulnerabilities" : [ ]
        }
      }
    ]
  },
  "aggregations" : {
    "group" : {
      "doc_count" : 1051,
      "filterAgg" : {
        "doc_count" : 1046,
        "first_category" : {
          "doc_count_error_upper_bound" : 0,
          "sum_other_doc_count" : 43,
          "buckets" : [
            {
              "key" : "网络产品",
              "doc_count" : 1003,
              "product" : {
                "doc_count_error_upper_bound" : 0,
                "sum_other_doc_count" : 17,
                "buckets" : [
                  {
                    "key" : "NGINX,Baidu-站长平台,php",
                    "doc_count" : 986
                  }
                ]
              },
              "second_category" : {
                "doc_count_error_upper_bound" : 0,
                "sum_other_doc_count" : 17,
                "buckets" : [
                  {
                    "key" : "服务器",
                    "doc_count" : 986
                  }
                ]
              },
              "company" : {
                "doc_count_error_upper_bound" : 0,
                "sum_other_doc_count" : 17,
                "buckets" : [
                  {
                    "key" : "华顺",
                    "doc_count" : 986
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }
}
作者:海马  创建时间:2023-02-15 23:33
最后编辑:海马  更新时间:2024-12-22 19:32