Trying to come up with a bit of a complex saved search here....
Suppose I store events into ELK, and the event has a success and failure field on it. In some cases, failures are reported prematurely, and then a success event is logged for that same event. These things are tied together based on an eventID field.
So how might I go about saying:
Give me all events where the status field is FAILURE, and where there does not exist another event with the same eventID that has it's status field set to SUCCESS.
I'm sorry, but unless you are removing the "failure" reports when the "success" report is indexed I'm pretty confident that there isn't a way to get the correct results in a saved search.
I see. That's what I was thinking. The query is would very complex if event possible. I wonder if I can perform a query within logstash and handle this case.
Perhaps you could just derive the id for these documents from the eventID so subsequent index requests will override the previous document (since they would have the same eventID, and therefore id)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.