Query to find requests that don't have a matching response

Nikhil_Utane · February 12, 2018, 6:28am

Hi,

Would like to know if there is a way to write a query that finds out for which all request events, the corresponding response event was missing.

For e.g. In case of below data:

PUT test-index/test/_bulk?refresh
{"index":{"_id":1}}
{"msg_type":"request","msg_id":"abc","message":"Hello"}

{"index":{"_id":2}}
{"msg_type":"response","msg_id":"abc","message":"World"}

{"msg_index":{"_id":3}}
{"msg_type":"request","msg_id":"xyz","message":"Missing response"}

I want to be able to say 1st and 2nd message form a request and response pair (based on msg_id) so all good there. Where as for the 3rd one the response was missing which needs to be highlighted.

One option for me is to generate a missing response event from within logstash but just want to know if there is a query available to achieve the same.

-Thanks
Nikhil

Mark_Harwood · February 12, 2018, 9:20am

This question looks like another case of "joining related records based on a high cardinality ID"
See How to search relationship between log lines

system · March 12, 2018, 9:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to find the number of times a particular log event happened in the ES using query Elasticsearch	1	317	June 27, 2018
Updating indexed documents in Elasticsearch via Logstash Elasticsearch	1	490	July 5, 2017
Elasticsearch query problem Elasticsearch	10	1001	August 28, 2019
Missing event while report to elastic search Logstash	1	430	May 14, 2020
Query Elasticsearch	2	380	February 15, 2018

Query to find requests that don't have a matching response

Related topics