Hi all,
I have a requirement to aggregate related events by time.
It can be during the indexing or during the Query.
The time aggregation is based on a moving window, for example 1 minute, which means that all events from the same source and same type and occurred in less than 1 minute from one another are related.
For example, the following:
Target1 Type1 15:41:35
Target1 Type1 15:42:13
Target1 Type1 15:42:27
Target1 Type1 15:42:47
Target1 Type1 15:42:57
Target1 Type1 15:43:27
Are all related events, which needs to be aggregated.
On aggregation I will have to take the max(timestamp).
Any Idea on how can be implemented with Elasticsearch, on Index time or Query time ?
Thanks,
Ori