I have 2 different lines in the log for each search and response. We identify respective serach and its response by "conn" and "op" number. Want to setup parent child relationship on "conn" and "op" so when I search ou=123456789012345 I should get not only search but the response of it as well.
[15/Oct/2018:08:47:21 -0700] - SERVER_OP - INFO - conn=916232 op=1 SEARCH base="ou=depts,ou=people,dc=example,dc=com" scope=2 filter="(ou=123456789012345)" attrs="givenname sn mail street roomNumber l st postalCode preferredLanguage AccountLiabilityIndicator AccountType AccountSubType " s_msgid=26 s_conn=q1ccr1l2_a:33774
[15/Oct/2018:08:47:21 -0700] - SERVER_OP - INFO - conn=916232 op=1 SEARCH RESPONSE err=0 msg="" nentries=0 s_msgid=26 s_conn=q1ccr1l2_a:33774 etime=0
Came across Elasticsearch 6.4 Join datatype(using same version) but not sure how to do that correct. Kindly check on this and share details.
currently using logstash-YYYY.MM.DD index for each day data logs. How can I achieve this?