Hi,
for each user we log a message to Elastic when an application starts and stops.
With one application we have currently troubles, as at some users, the application crashes.
Therefore, I need a simple way to subtract the app-starts from the app-stops and group this by the user. If the number is grather than 1 (as it might be that the app is currently running and not yet stopped) we have an hit.
I played around with many visualization charts as also with timelion.
This was my best effort, but grouping (splitting) inside the logStarted brings wrong results and at the end a grouping seems not be possible.
".es(q=logStarted).subtract(.es(q=logEipShutdown)).if(gt, 1).abs()"
Any help is welcome.