{
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1h",
"lte": "now"
}
}
},
{
"term": {
"syslogProgram.raw": "extFlowRecords"
}
}
],
"must_not": []
}
},
"size": 0,
"aggs": {
"Agg1Date": {
"date_histogram": {
"field": "Agg1Date",
"interval": "60s",
"min_doc_count": 0
},
"aggs": {
"Agg2Terms": {
"terms": {
"field": "Agg2Terms",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"Agg3Terms": {
"terms": {
"field": "Agg3Terms",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"Agg4Terms": {
"terms": {
"field": "Agg4Terms",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"Agg5Terms": {
"terms": {
"field": "Agg5Terms",
"size": 5,
"order": {
"_count": "desc"
}
},
"aggs": {
"Agg6Terms": {
"terms": {
"field": "Agg6Terms",
"size": 10000,
"order": {
"_term": "asc"
}
},
"aggs": {
"Agg7Terms": {
"terms": {
"field": "Agg7Terms",
"size": 10000,
"order": {
"_term": "asc"
}
},
"aggs": {
"Agg8Terms": {
"terms": {
"field": "Agg8Terms",
"size": 10000,
"order": {
"_term": "asc"
}
},
"aggs": {
"Agg9Terms": {
"terms": {
"field": "Agg9Terms",
"size": 10000,
"order": {
"_term": "asc"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}