I have 4 applications each will write "Application started : App1", with application's name at the end. In logstash I used grok filter to extract applications name into a field 'appName', I also added tags '_event', 'app_start'. So that document can be identified easily with tags along with the 'appName' field.
grok
{
id => "App Start Event Filter" add_tag => ["_event", "app_start"] tag_on_failure => []
match => { "message" => "Application started : %{GREEDYDATA:appName}" }
}
In Kibana instead of relative time or absolute time(entered manually), how to use the timestamp from this document for 'from' value in time range?
Is it possible to use a subquery in KQL: eg. timestamp > (SUB_QUERY)
Such that the subquery returns timestamp for the record with matching tags and application name.