I am hoping that someone can set me straight. I have Googled, and watched videos, to my heart's content. I need to know how to do more advanced analysis of elastic documents. For example,
Let say we have logs that look like this:
user1 "Successfully Logged in"
user2 "Successfully Logged in"
user3 "Successfully Logged in"
user1 "Successfully Logged out"
user4 "Successfully Logged in"
user2 "Successfully Logged out"
user5 "Successfully Logged in"
user6 "Successfully Logged in"
.
.
.
user50000 "Successfully Logged...."
You get the point, I need to know how many users are still logged into a system. So I need to find the last update for each user, and then count how many of those are "logged in". That requires multiple passes over data, and then either some math, or a simple count of the results. I cannot find any evidence that elastic can handle this.
Then there is another problem, let's call it problem number 2.
Let's say you have that same log from above. But I need a dashboard that shows how many level 1 sales reps are logged in, and how many are from the state of Texas. That info is stored in Active Directory so I need to either look that up at the time I build a dashboard OR at the time I store the document. I see nothing that says I can even do it at DB time, and very little information about . how to do that at document creation time that does not have severe impact on performance when you are talking about 60,000 users pushing thousands of transactions per second. I was hoping for a lookup table that could be updated once a day that could be accessed quickly for inbound records.
Are either of these things possible with Elastic & Kibana? I know our company spends a great deal of money on this technology and I have been a big supporter internally, but I am running into these situations more and more and need to find better sources of information on how to solve them.
Thanks for your input!