Matching fields and create new field

Rajesh_M · August 19, 2020, 2:15pm

Hi,

I have an index with our application logs, which is exported directly to ELK. Below is one of the session log,

{"@timestamp": "2020-08-19T13:42:15.236Z", "session": "fdb56d5f", "client": "192.168.1.2", "operation": "login"}
{"@timestamp": "2020-08-19T13:47:42.659Z", "session": "fdb56d5f", "account": "rajesh", "protocol": "ssh", "vcs": "git", "pack": "upload"}

Here,

the first entry is for login and next entry for main operation info.
we are using only the second entry for visuals.Unfortunately, the client IP is in the first entry.
Requirement: we need to match the session and add a new field in second entry by copying the client ip from first line. any guidance ?

-Thanks

wylie · August 24, 2020, 4:11pm

Elasticsearch doesn't easily support this kind of session analysis in a single query, but we have a feature called Transforms which is capable of joining sessions into a session-oriented instead of time-oriented index.

system · September 21, 2020, 4:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.