How to link two indices?

xionglingfeng · December 22, 2015, 11:05am

Hi all,
There are two indices in ES, which stored related information.

For example, an index named "logstash-netflow-YYYY-MM-DD" contains field named "netflow.ipv4_src_addr" and "netflow.ipv4_dst_addr". Another index named "logstash-radius-YYYY-MM-DD" contains field named "Framed-IP-Address" and "User-Name".

Is there anyway to link these two indices together? Like when querying "netflow.ipv4_dst_addr=1.1.1.1", shows all corresponding "netflow.ipv4_src_addr" and "User-Name"?

If this design is not good, any suggestions to improve it?

nodexy · December 22, 2015, 2:42pm

Maybe you can try this feature : parent-child relationship

https://www.elastic.co/guide/en/elasticsearch/guide/current/parent-child.html

warkolm · December 22, 2015, 8:17pm

Short answer is no, you cannot join in nosql systems, including ES.

Longer answer is sort of using something like TimeLion which visually "merges" things. Or you can use parent/child, but it's not really relevant for this dataset.

xionglingfeng · December 23, 2015, 1:36am

@warkolm Any suggestions to improve my current design to allow such query?