Hoping to get some guidance here.
I'm trying to correlate session-id's from two different events, a heartbeat sent every 10 minutes and a disconnect which could be sent any time. The goal is to get the number of active sessions for the last 10 minutes in a kibana visualization.
I don't think this is possible with the raw events in Elasticsearch, is that correct?
Would a logstash pipeline be the general approach here?
It seems like I should be able to use something like this Aggregate Filter example, using the heartbeat to add session-ids to a periodic "active sessions" event and the shutdown to remove the session-id. Does this seem like a reasonable approach or is there something simpler?
If this is the approach, can I initialize the next "active sessions" array from the most recent active-sessions event?