I have a table such type in kibana
|id| timestamp|status |
|1 |time |created|
|1| time |closed |
|2 |time |created|
How i can get all id which doesnt have status "closed" and they where created older 20 days
Hey, it seems like your data is event based (one document per change of a status), but the question you want to answer is entity based (give all ids which have a certain combination of events).
To do this, the best option is to transform your event based index to an entity based index using transforms: https://www.elastic.co/guide/en/elasticsearch/reference/current/transform-overview.html
It allows you to create one document per id which you can use to store the first timestamp and the count of "closed" status updates.
You can set up transforms to run continuously on incoming data, maintaining to "views" on your data (event based and entity based, whenever it makes sense)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.