As you indicate, Logstash has some features to join related documents in the ingest stream.
Another general approach is to land the events in the index first and then use a job to periodically (every few seconds?) update a separate "session" index with the latest recorded activities in the event index.
See: "entity-centric indexing".