Seeing if its possible to add a timeout to the sample web session detail script

Hello,

I've been reviewing different ways to aggregate log messages together that have a start event but no end event. Been struggling with the logstash aggregate filter plugin and was looking at retrofitting an old entity-centric model for a previous version of elasticsearch Entity-Centric Indexing - Mark Harwood | Elastic Videos when I realized elasticsearch 7.13 transforms introduce the concept of 'latest' which negates my need for a bunch of external scripts (hopefully).

I am looking at the "Getting Web Session Details by using Scripted Metric Aggregation" sample painless script, which produces session details, including session duration. Because my logs do not have an end-time, I need to make use of a timeout interval, something like a 30 minute window for aggregating message events based on my group by.

Is this possible to do within the transform by adjusting that script and could anyone help?

Thanks.

Hello,

I forgot to include the sample painless script that I'm trying to retrofit:

I'm trying to set a timeout interval for max session duration since I do not have an end event.

Hello,

Just bumping this thread.

We have a feature request that sounds similar to this requirement.

Does that fit?

I don't think this is possible at the moment, even with the help of painless.

The challenge is to build the right buckets, I think this requires a new type of top-level aggregation.

Hello,

That's unfortunate. This a difficult problem to solve, logstash's aggregate filter plugin doesn't work to do this either.

What's the recommended way to try and solve this problem, i'm sure I'm not the only one who has tried to do this.

At the moment I can only think of solving this on the application side, e.g. adding a session id into the output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.