We want to create new field as "ProcCount3minAvg" for all the documents in Elasticsearch, "ProcTime3minAvg" is avg aggregation value of a floating point field captured from logs called "ProcCount". Avg value should be the last 3 document ProcCount field value.
Example.
Request____________ProcCount_______ ProcCount3minAvg
MicroserviceA__________ 3_____________ 3 [(3+0+0)/3]
MicroserviceB__________ 4_____________3.5 [(3+4+0)/3]
MicroserviceC___________3_____________3.33 [(3+4+3)/3]
MicroserviceA__________ 5_____________ 4.0 [(5+3+4)/3]
MicroserviceB__________ 2_____________ 3.33 [(2+5+3)/3]
MicroserviceC__________ 6_____________ 4.33 [(6+2+5)/3]
MicroserviceA__________ 4_____________ 4.0 [(4+6+2)/3]
MicroserviceB__________ 1_____________ 3.66 [(1+4+6)/3]
MicroserviceC _________ 7_____________ 4.0 [(7+1+4)/3]
MicroserviceA__________5_____________ 4.33 [(5+7+1)/3]
MicroserviceB__________7_____________ 6.33 [(7+5+7)/3]
How to create this new field, Using Mutate Filter in Logstash or Kibana Scripted Field or any Elasticsearch 6.8 indexing level. This will help us to create a POC to migrate viz from Splunk to ELK