Let's consider below sample events,
_index:windows_security empId:12345 action:create time:0900
_index:windows_security empId:12345 action:delete time:0910
_index:windows_security empId:12345 action:created time:1500
_index:windows_security empId:12345 action:modified time:1510
the user have done two actions, one around 09:00 and the other set around 15:00
I wanted to pair such events so that based on same empId, but if actions are done within span of say 15minutes, I want to consider it part of same session.
So ideally I want to see the above outcome to see in 1st session user have created & deleted
and in the 2nd session user have created and modified.
How can we achieve in Elastic?
(In Splunk, there is a transaction command to do similar. What's the equivalent in Elasticsearch?)