Hi Ben,
There's an approach using logstash and an "elapsed" plugin which can join related records together. We got into some of the architectural concerns over that here
Another approach is to use an entity centric index -example scripts and discussion here