Why this is hard on an "event-centric" log index and a solution that creates an entity-centric index from these logs: https://www.youtube.com/watch?v=yBf7oeJKH2Y
The video example solution is dated in that it talks about Groovy, not Painless, but the principles still hold. Example painless scripts that work with 6.3+ are here