Hello @nilsen
As i am not sure about the exact end requirement , looking at a similar usecase if it can be helpful to you :
So if i see your logs & if this is available in elastic:
{ logTime: "20/08/25T12:00:00", id: "random-id-01", message: "user1 connected" }
{ logTime: "20/08/25T12:00:01", id: "random-id-01", message: "uploaded file.xml" }
{ logTime: "20/08/25T12:00:02", id: "random-id-01", message: "disconnected" }
Using ES|QL we can get the aggregated record :
FROM test-message
| EVAL
user = REPLACE(CASE(message LIKE "* connected*", message, null), " connected", ""),
filename = REPLACE(CASE(message LIKE "*uploaded*", message, null), "uploaded ", ""),
action = CASE(message LIKE "*uploaded*", "upload", null),
disconnect_time = CASE(message LIKE "*disconnected*", logTime, null)
| STATS
logTime = MAX(disconnect_time),
user = MAX(user),
action = MAX(action),
filename = MAX(filename)
BY id
| WHERE logTime IS NOT NULL AND user IS NOT NULL AND action IS NOT NULL AND filename IS NOT NULL
| KEEP logTime, id, user, action, filename
| SORT logTime ASC
Thanks!!