Merging Kibana Results

vamc · October 26, 2023, 4:08am

I have two logs from two different applications writing to the same index.
Log1:

[
"Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, AlertId : 000130114"]

Log2:

["Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, ClientId: 283400, TrackId: tracking-456, File: transaction.csv"]

From the UID in log2 i need to check if there are any matching alertId in log1 and if found i need to merge the data and get it in the below format.

Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, ClientId: 283400, TrackId: tracking-456, File: transaction.csv", AlertId:000130114

How can i do this ??
I will need this to be running as part of Kibana watcher

jsanz · October 27, 2023, 12:41pm

As you may know, Elasticsearch is not meant to run JOIN queries at runtime.

I think I would approach this as:

Process your incoming data to extract the identifiers using an ingest pipeline, maybe even using the reroute processor to split your logs in different indices.
Create a pivot transform that pivots (merges) the entries with a common UID. You can probably even set up another ingest pipeline in the new output index to generate that format message but you probably want to do that later.

I'm unsure how this plays with your Kibana Watcher use case, but it seems worth exploring.

system · November 24, 2023, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Correlate Events using Kibana Kibana	2	4732	February 23, 2018
How to match two logs in Kibana Kibana	2	998	October 18, 2019
Combine different log events in one data table Kibana	2	359	June 8, 2021
Pulling data from two indices Kibana	2	379	September 6, 2018
Merge data feeds to one searchable index Elasticsearch	3	957	July 5, 2017