Hi all,
If I have a log with:
- @timestamp
- EVENTNO (Event number) and
- DEVICEID (Device ID)
and this happen: always when a specific event occurs, it does have a start (EVENTNO="300095") and an end (EVENTNO="300096"). I need to know how much time is between both events.
What I'm trying is to have in the same document both times. So far, when EVENTNO 300095 occurs, I copy @timestamp as t_start (and the same when event 300096 occurs, I copy it as t_end). The problem that both times are in different documents (another problem is a DEVICEID can have multiple events like this, so I can't just update the docs using DEVICEID as the key/ID).
It would be great to have something like "update until you update ONCE the field t_end", but I guess that doesn't exists.
I tried with EQL, and when I used sequences, I got pairs of events (300095 and 300096) from the same DECIVEID, but the join_keys were wrong, I don't know why.
Any ideas on how to approach this problem?