Consider a source index that contains user authentications. I want to create a transform that contains, for each user, the oldest and newest login. It would look like this:
- Group by user
- Aggregate max(@timestamp) and min(@timestamp)
- run continuously
So what happens to the min(@timestamp) of a user, if index lifecycle management deletes old authentications of that user?
On the next checkpoint, will the transform
- keep the old min(@timestamp) even though the corresponding document was deleted?
- set min(@timestamp) to the oldest authentication that is currently present in the dataset?
I guess what I'm asking is, does the transform keep persistent aggregation state over it's lifetime, or is it re-computed completely on every checkpoint?