Hi everyone, I have configured Fortigate to send logs to Elasticsearch. However, when there's a long live session, Fortigate creates a duplicate session ID every 2 minutes and consistently adds data size to the previous one. This results in inaccurate data being displayed in Elasticsearch.
If anyone can help me to filtre network.bytes by the last duplicate session id
This is. A Duplicate session id
I wonder if you could use the sampler aggregation here on top of a terms aggregation by session ID. Then you could make sure to order by most recent?
Thank you but i tried this aggs
{
"size": 0,
"aggs": {
"unique_sessions": {
"terms": {
"field": "session_id.keyword",
"size": 10,
"order": {
"latest_event_timestamp": "desc"
}
},
"aggs": {
"latest_event_timestamp": {
"max": {
"field": "@timestamp" //
}
},
"latest_event": {
"top_hits": {
"size": 1,
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
