cinhtau · November 13, 2018 16:07
diff --git a/filebeat.md b/filebeat.md
diff --git a/part1_search.txt b/part1_search.txt
 GET payments-*/_search
 {
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ],
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-4h"
          }
        }
      }
    }
  },
  "aggs": {
    "states": {
      "terms": {
        "field": "address.state"
      },
      "aggs": {
        "payments": {
          "sum": {
            "field": "amount"
          }
        },
        "payments_bucket_sort": {
          "bucket_sort": {
            "sort": [
              {
                "payments": {
                  "order": "desc"
                }
              }
            ],
            "size": 5
          }
        }
      }
    }
  }
 }
diff --git a/part2_search.txt b/part2_search.txt
 GET payments-*/_search
 {
  "size": 0,
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        }
      ],
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-4h"
          }
        }
      }
    }
  },
  "aggs": {
    "states": {
      "terms": {
        "field": "address.state",
        "size": 5
      },
      "aggs": {
        "cities": {
          "terms": {
            "field": "address.city"
          },
          "aggs": {
            "payments": {
              "sum": {
                "field": "amount"
              }
            },
            "payments_bucket_sort": {
              "bucket_sort": {
                "sort": [
                  {
                    "payments": {
                      "order": "desc"
                    }
                  }
                ],
                "size": 3
              }
            }
          }
        }
      }
    }
  }
 }
diff --git a/template-statistics.txt b/template-statistics.txt
 PUT _template/statistics
 {
  "index_patterns": [
    "statistics-*"
  ],
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "doc": {
      "dynamic": true,
      "properties": {
        "logtime": {
          "type": "date",
          "format": "epoch_millis"
        },
        "counter": {
          "type": "integer"
        },
        "class": {
          "type": "keyword"
        }
      }
    }
  }
 }
	GET payments-*/_search
	{
	"size": 0,
	"query": {
	"bool": {
	"must": [
	{
	"match_all": {}
	}
	],
	"filter": {
	"range": {
	"@timestamp": {
	"gte": "now-4h"
	}
	}
	}
	}
	},
	"aggs": {
	"states": {
	"terms": {
	"field": "address.state"
	},
	"aggs": {
	"payments": {
	"sum": {
	"field": "amount"
	}
	},
	"payments_bucket_sort": {
	"bucket_sort": {
	"sort": [
	{
	"payments": {
	"order": "desc"
	}
	}
	],
	"size": 5
	}
	}
	}
	}
	}
	}
	PUT _template/statistics
	{
	"index_patterns": [
	"statistics-*"
	],
	"settings": {
	"number_of_shards": 1
	},
	"mappings": {
	"doc": {
	"dynamic": true,
	"properties": {
	"logtime": {
	"type": "date",
	"format": "epoch_millis"
	},
	"counter": {
	"type": "integer"
	},
	"class": {
	"type": "keyword"
	}
	}
	}
	}
	}