Detect sessions via timestamp and threshold


I'm not sure if this is the right area to post it, maybe it might be Kibana, but I just give it a try.

I'm currently having firewall logs in my indices with timestamp, IP adresses, sent and received bytes and sessions id's.

The problem is, the logging of the session id's is not current and currently builds up packages of maximum three datasets. Now I wanna figure out, according to the timestamps, when a sessions was over and the other began. I was thinking to use a certain threshold of 60 seconds or something like that as help, but I'm not pretty sure how to start.

Somehow I have to check if the following dataset and its timestamp is still in my threshold or not and build my sessions out of it. Is there a way to do so? Is there maybe also a way to report this as text data (for example csv)?

And another question which precedes on the questions asked before: Is there a way to find sessions which are longer than five seconds?

Thank you very much!

Best regards.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.