Kibana - How to join the values of a field cross events based on userId and sessionIDinto 1 string by timestamp ascendly with script fields

cheriemilk · April 17, 2019, 12:32am

Hi Team,

I have below events in elasitcsearch.
timestamp,module,page,userId,actionType,sessionId
2019-02-13 02:56:05.356,succession,talentsearch,cgrant1,list_saved_search,sid1
2019-02-13 02:56:05.358,succession,talentsearch,lokamoto1,list_saved_search,sid2
2019-02-13 02:56:05.358,succession,talentsearch,cgrant1,start_over,sid1
2019-02-13 02:56:05.360,succession,talentsearch,cgrant1,delete_saved_search,sid1
2019-02-13 02:56:05.361,succession,talentsearch,lokamoto1,search,sid2
2019-02-13 02:56:05.365,succession,talentsearch,lokamoto1,nominate,sid2

with above sample log event, I come up with 2 user scenarios from actionType field

list_saved_search->start_over->delete_saved_search (cgrant1's user scenario in sid1)
list_saved_search->search->nominate (lokamoto's user scenario in sid2)

how can I join the actionType fields with userId and httpsessionID cross events to get a string represting a user scenario with script fields???

Christian_Dahlqvist · April 17, 2019, 5:19am

Scripted fields run in the context of a single document, not a collection of documents, so I do not think this can be done using scripted fields. For scenarios where ordering of multiple events is important creating a separate entity-centric index might be the best approach.

system · May 15, 2019, 5:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.