I'm investigating using Elasticsearch (and other parts of the ELK stack) for the data source for log analysis tools my team is developing.
We're currently working with logs loaded into a postgres DB. One of the things we do is search for an error message (SQL query on the message column), then select a message of interest and perform a "context search" which returns some number of messages before and after the selected message.
In order to support this the log database includes a column containing a sequence number generated when the logs were loaded. This is used as an offset in a LIMIT/OFFSET SQL query to fetch the logs before and after the sequence number of a selected log.
Based on my understanding that each log line output from logstash into Elasticsearch is a document, with Elasticsearch if I identify a document, is it possible to have it return the logs (documents) before and after the identified document, and if so, how do I accomplish this?
I'd initially set out to use the _id field for this, looking for a way to find the document with _id , and return some number of documents before and after but so far I've only been able to get the single document, none before or after.
Thanks in advance.