How to combine two logs and find part of common

MR98 · March 8, 2024, 9:55pm

Hi all,
I would like to create visualization based on search filter.
I have two type of logs. Every log has two fields: message and objectID.

Log history for example:

Log1 - message: "MESSAGE.TEST.1" objectID: "123"
Log2 - message: "MESSAGE.ANOTHER.TEST.2" objectID: "123"
Log3 - message: "MESSAGE.TEST.1" objectID: "456"
Log4 - message: "MESSAGE.TEST.1" objectID: "789"
Log5 - message: "MESSAGE.ANOTHER.TEST.2" objectID: "789"
Log6 - message: "MESSAGE.TEST.1" objectID: "999"

I would like to have part of common where objectID has both messages as result . So in this example result should be 2 becouse only objectID: "789" and objectID: "123" had both messages in logs. How should I group it?

tsullivan · March 19, 2024, 7:57pm

You can use the Transform feature of Elasticsearch to pivot the data into a new index that is entity-centric around objectID. A transform is a continuous process that keeps the destination index up-to-date as new data comes in.

You can learn more about the Transforms feature here: https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-overview.html

system · April 16, 2024, 7:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.