How can I make a query in Discovery that only show me different documents for different events sharing a common field like Session-Id that the time elapsed between two consecutive events is less than a certain amount of time?
For instance:
Session-Id: 123, Type: Start, time: 01:00
Session-Id: 123, Type: Update, time: 01:10
Session-Id: 123, Type: Stop, time: 01:15
Session-Id: 321, Type: Start, time:02:00
Session-Id: 321, Type: Update, time: 03:00
So I don't want to see the document with the Session-Id field 321 for it has two events 1 hour apart from each other, but the one with Session-Id 123 should show up on my query.
Is there a way to achieve this without using the elapsed logstash filter? I also would have to account for like 5 different type values, so even using elapsed logstash filter that would be a bit tricky I guess.