Thanks for you reply. Using a date histogram doesn't satisfy the requirements
If I group them by pre-defined time intervals, the logs won't be grouped by sessions.
For example, if I group them hourly:
These 2 logs will be grouped into different sessions even though they belong to the same one
The end goal is to show, for each IP address, all the LogId's separated by session.
I have this:
Using elasticsearch, would it be possible to somehow create an index from the existing one?
This way, I could:
. Group all the events by ClientIp
. Order by Timestamp
. Sequentially, go through each log and store the timestamp of each log as a field SessionEnd of the aggregation
. Therefore, I could compare the timestamp of each log to (SessionEnd+30minutes) to check whether I should group that log with the existing session or create a new session.