Question on multiple date fields in an event and time range

I am trying to push all our team's tickets into ELK. The tickets have 5 date fields and I have 2 questions in this regard. I have all the data in the same index. The 5 different date fields:

Planned_Start_Time
Planned_End_Time
Actual_Start_Time
Actual_End_Time
Updated_Time

Question 1: I want the event to be displayed for each of these 5 time instances when any of these are falling in the timepicker range in Kibana. Do I need to insert the same event multiple (5) times and associating each datefield with @Timestamp ? My time series chart is created with Date Histogram with @Timestamp.

Question 2: There are some events which span over days. Let us say that the start_date and end_date are 6hrs apart - for example from 06:00 till 12:00. When I am searching for any events ongoing between 08:00 and 10:00, I do not find this event. Anyway to accomplish this ?

Thanks in advance for your support

Best regards
Sudhakar

Q1:
Yeah, you'll have to have the event ingested 5 times, you could do something like this:
{
name: event1,
action: Planned_Start
timestamp: time
}
and so on. This way you can display all 5 datesfields on the chart.

Q2. Other than having events piped in at a specific time interval that says ongoing or not, you won't be able to accomplish that in ES from what I can tell.

Update: i think you could use Canvas and the new SQL-like expression editor to achieve what you want from Q2. It will take a while to get into it, but it pretty much can solve any data problem, so it's a good feature to learn: https://www.elastic.co/guide/en/kibana/current/canvas.html

Thanks Marius. So, I have to insert the event multiple times.

Thanks for the tip. Will look into it.

Best regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.