Hello, I have a SIEM-like flow o logs. I mean, 3 or more logs with an identifier (same value in all the logs). My last received log the one I want to "keep" or "consider". Is there any way to apply this concept to my Visualization? I mean, if I do a count on the documents, it counts all the "repeated" logs so there's an incorrect value, there's a form to do a "delta" or tell Kibana to only count the last log of that flow? I hope I've explained myself correctly. Thanks.
I would build a "Latest Transform" which is pretty much exactly what you're asking for That will create a new index and then allows you to do visualizations from it.
For example, I've used this to get the last log from each host and that way I can see what the last log is and I see when the last time it checked in. Instead of host as the the unique key you would use your identifier
If you just follow the builder example, you should be able to create one.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.