Combining two documents within the same index

vishal_M · October 1, 2019, 7:40pm

Hello Team,

I have a use-case of combining two documents (which has a similar timestamp for both the records) based on a value of a particular field. Please go through the data pic in detail.

If you observe the data in line no 1 and line number 4, the device value and remote value are interchanged(client - server flow & server client flow). I want to display similar output as line 5 (based on the value of the device field in one document, I want to check the value of Remote. If both are the same(equal), I want to display (client - server flow )device, remote, app, protocol and add the values of bytes for the initial record and matched record).

I can do it by adding extra logic in an API, process it and push it to the ES index as the way I wanted. But, I want to handle it in the Kibana side.

Is there any way I can do it in Kibana by writing script fields on top of the index pattern in Kibana (Index Management) / any alternative methods?

Thanks in advance ..

Mark_Harwood · October 4, 2019, 9:49am

I'd use a script to create a single concatenated string from the 2 values, ensuring they are sorted otherwise you get A_B and B_A as 2 different terms.

vishal_M · October 4, 2019, 1:18pm

Can u please share me a sample script for my output. I have done one script field for Addition . But, not similar to this use case..

def total = doc['bytesrcvd'].value + doc ['bytessent'].value; return total;

Thanks,
Vishal

system · November 1, 2019, 1:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.