Add stop timestamp base on previous doc (event)

moimart1 · November 12, 2018, 4:22pm

Hello,

I push some events to elasticsearch with the following structure:

{
    "name": "status",
    "value": "active",
    "timestamp": "2018-01-01T00:00:00.000Z"
}

And when I receive a new event with the same name, like

{
    "name": "status",
    "value": "stopped",
    "timestamp": "2018-01-01T01:00:00.000Z"
}

I want to update the event status:active with a stopTimestamp field, like

{
    "name": "status",
    "value": "active",
    "timestamp": "2018-01-01T00:00:00.000Z"
    "stopTimestamp": "2018-01-01T01:00:00.000Z"
}

The final goal is to show events / transactions on a timeline, and the timeline require the field stop date

It is possible to have a document with a start and a stop date base on two previous events ?

Thanks

Martin

Mark_Harwood · November 12, 2018, 4:26pm

If you have lots of unique names to track see discussion on Distinct count with filter

moimart1 · November 14, 2018, 3:59pm

Thanks

If I understand correctly, you suggest to do another index with my events with start stop from my events with only start.

How I can update automatically my new index ? I need to do an external script or I can have a "built-in" solution ?

system · December 12, 2018, 3:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to calculate between document Elasticsearch	3	578	July 6, 2017
Start and stop events in logfiles Elasticsearch	3	877	July 5, 2017
Updating document with scripted_metric aggregation result Elasticsearch	2	405	March 27, 2017
MongoDb & ES: Where can I store timestamp for last updated document in ES? Elasticsearch	2	1734	July 6, 2017
ConditionalUpdate Logstash	2	467	July 6, 2017