Merging Kibana Results

vamc · October 26, 2023, 4:08am

I have two logs from two different applications writing to the same index.
Log1:

[
"Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, AlertId : 000130114"]

Log2:

["Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, ClientId: 283400, TrackId: tracking-456, File: transaction.csv"]

From the UID in log2 i need to check if there are any matching alertId in log1 and if found i need to merge the data and get it in the below format.

Processed Payload - UID: c9c9502f-f398-434f-3d2efc7853a3, ClientId: 283400, TrackId: tracking-456, File: transaction.csv", AlertId:000130114

How can i do this ??
I will need this to be running as part of Kibana watcher

jsanz · October 27, 2023, 12:41pm

As you may know, Elasticsearch is not meant to run JOIN queries at runtime.

I think I would approach this as:

Process your incoming data to extract the identifiers using an ingest pipeline, maybe even using the reroute processor to split your logs in different indices.
Create a pivot transform that pivots (merges) the entries with a common UID. You can probably even set up another ingest pipeline in the new output index to generate that format message but you probably want to do that later.

I'm unsure how this plays with your Kibana Watcher use case, but it seems worth exploring.

system · November 24, 2023, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Matching data in two different indexes Kibana	5	830	January 23, 2023
ELK - Aggregating Fields from 2 different messages into a single log Logstash	2	385	July 2, 2018
How to search and display log events linked through a series of UUIDs Kibana	2	295	September 13, 2023
Merge two indices created by two different Logstash conf file Kibana	3	136	October 9, 2023
Visualization In Kibana after Merging/Mapping Kibana	2	125	November 8, 2023