Hey Hendrik,
thanks a lot for your answer, you pointed in exactly the right direction! The webinar also proved to be very helpful.
I ended up using a data transform (which I already love!) and some scripting to compute session durations. Now for some reason, the Kibana interface didn't let me specify the script from the "Advanced Pivot Editor" (I might have done something wrong), but using the "Dev tools", creating the continuous data transform worked flawlessly.
For reference, I am pasting the API-call here.
PUT _transform/sessions_continuous
{
"source": {
"index": [
"filebeat-7.7.0-2020.05.22-000001"
]
},
"pivot": {
"group_by": {
"message_decoded.data.uuid": {
"terms": {
"field": "message_decoded.data.uuid"
}
}
},
"aggregations": {
"@timestamp_max": {
"max": {
"field": "@timestamp"
}
},
"@timestamp_min": {
"min": {
"field": "@timestamp"
}
},
"duration": {
"bucket_script": {
"buckets_path": {
"min": "@timestamp_min",
"max": "@timestamp_max"
},
"script": "(params.max - params.min)/1000"
}
}
}
},
"description": "Session durations",
"dest": {
"index": "continuous_sessions"
},
"frequency": "10s",
"sync": {
"time": {
"field": "@timestamp",
"delay": "10s"
}
}
}
Again, thanks a lot for your help!