Hey guys, I'm fairly new working with Kibana and the ELK stack.
I currently have logs being sent roughly every 12 hours, containing packages and their versions.
My goal, is to create a table that groups the data by their package.name field, and then display the timestamp and the package.version, of the 2 latest documents.
My first solution was making use of histograms, which gave me a useable table, but this solution has a downside to it. Because if I have a package updated outside of these 12 hour logging intervals, Lets say an package got updated at 16:00 the day before, my histogram table on a 12 hours, spread over a 24 hours duration ends up with 3 histogram rows.
where the rows would be split into 16:00, 00:00 and 12:00, because the outlier package update at 16:00 the day before i still inside the 24 hour window.
This lead me to looking into transforms, and here my question is, if there is anyone in the community that could point me towards a solution, where I could transform my data such that I take the two latest documents for each package.name and combine them keeping both timestamp and package.version fields? such that I could have a previous.package.version and current.package.version field and so on. on a single table row
Thanks in advance! 