Hi,
I want to group (aggregate) records on the basis of a specific ID. At the moment, my data has an event START and END record identified by the IDs. START and END record have different fields in them which I want to combine in one row.
The current mapping is similar to the attached image:
Here, Batch_ID is the field which I want to use for combining. I want to combine the fields from both START and END records in such a way that one row has important fields from both records.
Thanks.
This type of aggregation can not be done in Discover. However you can use the data table vis to achieve that.
Best option is to join those events during index or by using transforms.
Thank you for the response @Felix_Roessel.
Joining events while indexing might not be possible as the duration of time between both these events can be in hours. Regarding the use of table vis or transforms, any useful link will be highly appreciated. Though, I will explore these options on my own as well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
