Hello all,
I'm investigating using Elasticsearch (and other parts of the ELK stack) for the data source for log analysis tools my team is developing.
We're currently working with logs loaded into a postgres DB. One of the things we do is search for an error message (SQL query on the message column), then select a message of interest and perform a "context search" which returns some number of messages before and after the selected message.
In order to support this the log database includes a column containing a sequence number generated when the logs were loaded. This is used as an offset in a LIMIT/OFFSET SQL query to fetch the logs before and after the sequence number of a selected log.
Based on my understanding that each log line output from logstash into Elasticsearch is a document, with Elasticsearch if I identify a document, is it possible to have it return the logs (documents) before and after the identified document, and if so, how do I accomplish this?
I'd initially set out to use the _id field for this, looking for a way to find the document with _id , and return some number of documents before and after but so far I've only been able to get the single document, none before or after.
Thanks in advance.
Paul