Hi,
I have non optimal logs as input, where actions via api are logged.
When a user logs in, I got username and session id in the log.
In following actions I only have the session id to trace the actions of a user.
I parsed both fields in logstash. It is fine if I want to follow the activities of a single user. Then I query for the login and filter for the username, then klick on the session id to filter and change the search for wildcard. Then I have everything for that session ID.
Now the problem is, that the user is used by an automatism in multiple threads meaning it is using multiple session ids in parallel.
Is there any kind of subselect / join I can use to get all session Ids at once and to put the result directly to the query as filter with OR condition? So that I will get all activities of all sessions Ids identifed by the user?
Thanks, Andreas