Chaining two queries, grouping and paritioning/windowing

truekonrads · August 4, 2017, 12:28am

Hello,

I am investigating windows security logs. One query has identified a set of logins which contain a field - "Logon ID". I would now like to have a second query chained/pipelined which finds all the log entries that contain the LogonID, partition/window by this parameter and show me the earliest entry and latest (how long the session lasted).

So,

Query 1 outputs fields "Logon ID",
Query 2 takes these logon IDs and outputs fields LogonID, EarliestbyLogonID and LatestByLogonID

Is this possible at all in ES or is it a case of plugins/download and analyse?

jpountz · August 11, 2017, 7:59am

You should be able to do something with a query that looks like this (just replace the query with your query and timestamp with the field that stores the date of your log lines):

GET logs/_search
{
  "size": 0,
  "query": "query that identifies interesting documents",
  "aggs": {
    "ids": {
      "terms": {
        "field": "LogonID"
      },
      "aggs": {
        "earliest_login": {
          "min": {
            "field": "timestamp"
          }
        },
        "latest_login": {
          "max": {
            "field": "timestamp"
          }
        },
      }
    }
  }
}

Topic		Replies	Views
Equivalent to SQL window functions Elasticsearch	6	7318	March 11, 2019
Get latest documents where field is distinct Elasticsearch	3	3733	May 18, 2017
Getting the first and last entry(by timestamp) for each filename Elasticsearch	0	1892	January 10, 2018
Elasticsearch query that returns latest document for each group of criteria in the query Elasticsearch	0	503	December 25, 2020
Query to get latest log entries grouped by a field Elasticsearch	0	791	July 18, 2016

Chaining two queries, grouping and paritioning/windowing

Related topics