we have monitoring the servers with different tools and get the events when any server is down from all monitoring tools. we are inserting all these event as records doc type in elastic-search. we need to write query to in such way that
get first inserted record from the same host(I can apply aggregation on server filed) and with in last 10min time. if we get the first inserted record then we can suppress the later inserted events in last 10 min on same device from different sources.
can you please help me on how to get the first inserted record on the same host in last 10 min of records?
Thanks for your reply Kevin. we are monitoring the servers in our network with different monitoring tools. so if any server(assume server A down), we get the same event on the same host from different monitoring tools. we need to apply filter/query to get the last 10 min of records(basically we have lot of events on different hostname from different monitoring tools) and apply group by on hostname and get the first inserted record out of same events from different monitoring tools.
example:: if server A and server B are down, we will get an events from Tool A and tool B on both devices. we need to find out on which event comes first on the same server from which tool.
BTW, we are using python to load the data/events to elastic search. hence it doesn't have @timestamp. we added time filed for each record to have current time while inserting.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.