Hello,
I am ingesting a field that changes value and I would like to capture a duration of the value, is this possible with Elastic?
For example:
13:00 - 1 document - field1: “Offline” , newfield_duration: 0min
13:04 - 1 document - field1: “Offline”, newfield_duration: 4min13:05 - 1 document - field1: “Online”, newfield_duration: 0min
Hello @erikg
As per the example shared how do you derive newfield_duration? Online => Offline?
For 1st example both field1 are Offline? Do we have any common field like say ID?
13:00 - 1 document - ID1 - field1: “Online” , newfield_duration: 0min
13:04 - 1 document - ID1 - field1: “Offline”, newfield_duration: 4min
13:05 - 1 document - ID2 - field1: “Online”, newfield_duration: 0min
13:14 - 1 document - ID2 - field1: “Offline”, newfield_duration: 9min
If you could share more details or example then it might be helpful.
Thanks!!
Hey @Tortoise , yes you are correct about a common id would be used.
I think what I am looking for is something like this:
id1: “alarm_1” , field1: ”Offline”, newfield_duration: 1day
id1: “alarm_2” , field1: ”Online”, newfield_duration: 30min
This essentially tells me that an alarm_1 has been offline for 1day and alarm_2 has been online for 30 minutes.
I was thinking deeper into this,
It seems like I essentially need to like a transform? an aggregation on the max timestamp and and aggregation on the min timestamp?
Hello @erikg
Yes, transform will help to capture the data id wise & field1 (latest).
If possible could you share few log lines as i was wondering will this data be written every 5 minutes and the newfield_duration will be currenttime - timestamp of record?
Thanks!!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.