How to query 2 logs and show where session.id is missing in one of the logs?

asp · August 28, 2019, 1:37pm

Hi,

I have 2 logs (httpd_access and session log).
Both logs have the field session.id.
One httpd call can result in multiple sessionlog entries.

I want to find out the following:

which session ids have entries in session log but not in httpd log
which session ids have entries in httpd log, but not in session log.

There are thousands of requests, so I cannot do the comparison manually.

How can kibana / elasticsearch help here?

Thanks, Andreas

Mark_Harwood · August 28, 2019, 1:50pm

Hi Andreas,
For this sort of analysis it's probably best to combine these two event-centric index contents into a third "entity-centric" index keyed on session ID.
The new dataframes functionality is designed to do the work of fusing the data. You may need to set up an alias that combines the two indices and use that as the source data to perform the transform, using the common session.id field as the join key.

Topic		Replies	Views
Combining Events Based on Common session_id Field Kibana	3	1914	June 11, 2019
Grouping logs into sessions Elasticsearch painless	8	821	December 22, 2023
Slice logs based on start and end of an user session Elasticsearch	3	1206	December 19, 2016
Distinct count with filter Elasticsearch	4	992	December 7, 2018
Can kibana compare logs from different area and find the missing one? Kibana	4	569	August 11, 2022

How to query 2 logs and show where session.id is missing in one of the logs?

Related topics