Calculating duration

rusty_cole · February 7, 2022, 1:27pm

Hi,
I am not sure if this can be achieved, I have the following query:

GET /winlogbeat-7.14.0-2022.02.03-000001/_search
{
  "query": {
    "match_all": {}
  },
  "aggs": {
    "bulks": {
      "terms": {
        "field": "winlog.event_data.TargetLogonId",
        "size": 10
      },
  "aggs": {
    "bulks": {
      "terms": {
        "field": "winlog.event_data.TargetUserName",
        "size": 10
      },
        "aggs": {
    "bulks": {
      "terms": {
        "field": "host.name",
        "size": 10
      },
      "aggs": {
        "orders": {
          "top_hits": {
            "size": 10
          }
        }
      }
    }
  }
  }
  }
  }
  }
  }

From the query results I need to calculate the following:
Where ever the field - winlog.event_id=4624 appears, this should be the start time(from the timestamp).
Where ever the field - winlog.event_id=4634 appears, this should be the end time.
And than I need to calculate the duration (difference) .
Is there a way to achieve that?

Thanks!

Tomo_M · February 9, 2022, 12:16pm

Are winlog.event_id=4624 and winlog.event_id=4634 unique for each [winlog.event_data.TargetLogonId, winlog.event_data.TargetUserName, host.name] buckets? Or are there several start and end events in the bucket and you have to calculate multiple duration.

Anyway, such customized aggregation could be implemented using scripted metric aggregation.

Topic		Replies	Views
How to calculate duration in aggregation? Elasticsearch	4	3363	July 5, 2017
Using Top Hits aggregation for calculating time duration in each grouped field Elasticsearch	5	1317	August 29, 2017
Aggregate? Logstash	11	3852	July 6, 2017
Associate events with a common field (in order to obtain duration, throughput, ...) Kibana	3	599	April 30, 2019
Show cumulative duration between start / stop events Kibana	5	7762	July 6, 2017

Calculating duration

Related topics