Hello.

Maybe I want to get strange thing but I'd like to do it.

I've got log files which contain following data:

ReportName, ReportAction (with values ReportStarted or ReportFinished. Each log can contain only one value: ReportFinished or ReportStarted) and UID. UID is unique for each report. I mean that we can have two strings with one UID in case that report has been finished or we can have only one string with UID in case if report has been chancelled.

The text above can be shown in table form. For example table1 and table2:

table1
ReportName |ReportAction | UID |

Report1 |Started |u_11111 |
Report2 |Started |u_22222 |
Report3 |Started |u_33333 |

table2
ReportName |ReportAction | UID |

Report1 |Finished |u_11111 |
Report2 |Finished |u_22222 |

My quiestion. Is it possible to write query looks like UNION statement in SQL?

SELECT ReportName, UID
FROM table1

UNION

SELECT ReportName, UID
FROM table2

According to tables above I can say that I'd like to get as final result only string report3, showing report which has been started but hasn't been completed (chancelled for example).

There isn't any way to do unions with Elasticsearch documents. Instead, would it be possible for you to have a single document for each report, with started and finished fields? When a report starts, you could index a document with the started time. When the report finishes, you could simply update the existing document with the finished time. This seems like it would make what you're trying to do much simpler.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.