Successful Deposit Query advice

Inammathe_Inna · October 2, 2018, 4:55am

Hey guys!

I am pretty sure I am in the wrong mindset for this sort of query so I would appreciate any nudges in the right direction

So my use case:
I want all CreditCardDeposit requests
where the response (same UUID as the request) ErrorNo is 0

My currently mapped fields:
OperationType: ["Request","Reply"]
DepositAmount: int
ErrorNo: int
UUID: string

A successful deposit is in sql terms:

OperationName = CreditCardDeposit
AND Reply ErrorNo = 0
JOIN on Request UUID = Reply UUID

Requests and Replies are logged on separate lines (app exists between front end and hosts)

Since this query doesn't appear terribly complicated, is there a way I can structure a Get /my_index/_search query to accomplish this? Or do I need to think more about how I should be storing this data? If so, any tips?

Thanks!

Inammathe_Inna · October 7, 2018, 10:50pm

Hey Abdon,
Thank you for your reply. That query works! I wouldn't have thought to use aggregations like that.

I am intrigued though about:

create a single document per UUID, and update that document each time a new event occurs for that UUID

Do you know if that is something I can accomplish within a Logstash pipeline? I am guessing something along the lines of..

if (OperationType=response) { (Add fields to document) where request.UUID == response.UUID }

Thanks again for your help. We've only just started using ELK at work and I am still getting the hang of things

Ev

Inammathe_Inna · October 8, 2018, 12:11am

nvm just found it, good old action method in the elastic output.
This is actual waaaaay more practical. Thank you Thank you Thank you Thank you

system · November 5, 2018, 12:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.