Detecting specific event sequences in data streams

Kargo · September 6, 2023, 7:40pm

Hey there.

I have a datastream in Elasticsearch with mappings similar to this:

{
  "mappings": {
    "properties": {
      "@timestamp": {"type": "date"},  
      "event-type": {"type": "keyword"}, 
      "session": {"type": "keyword"},
      "message": {"type": "keyword"}
    }
  }
}

Given a sequence of documents like below, I need a term aggregation of the messages preceeding the "complete" event-type in the same session , which in this case would be ipsum: 1 and lorem: 1

{
  "event-type":  "recieving", 
  "session":   "1",
  "message":  "lorem", 
},
{
  "event-type":  "recieving", 
  "session":   "1",
  "message":  "ipsum", 
},
{
  "event-type":  "complete", 
  "session":   "1",
},
{
  "event-type":  "recieving", 
  "session":   "2",
  "message":  "lorem", 
},
{
  "event-type":  "recieving", 
  "session":   "1",
  "message":  "ipsum", 
}
{
  "event-type":  "complete", 
  "session":   "2",
}

Any ideas on how to do this within Elasticsearch? or would I need to retrieve all the events in the datastream for manual processing outside Elasticsearch.

system · October 4, 2023, 7:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregate and query transactions from indexed events Elasticsearch	3	614	September 26, 2018
How to do sequence matching Elasticsearch	5	3137	July 6, 2017
Could I query all docs where there are multiple occurrences of my term? Elasticsearch	3	1636	February 11, 2019
Search for a sequence Elasticsearch	2	598	July 6, 2017
Time/Order based query Elasticsearch	3	370	July 5, 2017

Detecting specific event sequences in data streams

Related topics