For detecting users with 2+ accounts, you can use below query:
"query": {
"query": "source.id:<<SOURCEID>>"
},
"indices": [
"identities"
],
"aggregationsDsl": {
"accounts": {
"nested": {
"path": "accounts"
},
"aggs": {
"source_id": {
"terms": {
"field": "accounts.source.id",
"min_doc_count": 2,
"size": 1000
},
"aggs": {
"identities": {
"terms": {
"field": "_id",
"min_doc_count": 2
},
"aggs": {
"accounts": {
"top_hits": {}
}
}
}
}
}
}
}
}
}
You can refer this too