I have an index (client_index) that has three fields: @timestamp, user, ip. I have a transform like this:
{
"id": "my_transform",
"source": {
"index": [
"client_index"
],
"query": {
"match_all": {}
}
},
"dest": {
"index": "client_index_transformed"
},
"sync": {
"time": {
"field": "@timestamp",
"delay": "60s"
}
},
"pivot": {
"group_by": {
"user": {
"terms": {
"field": "user"
}
}
},
"aggregations": {
"@timestamp.max": {
"max": {
"field": "@timestamp"
}
},
"srcip.filter": {
"filter": {
"range": {
"srcip": {
"gt": "192.168.140.1",
"lt": "192.168.143.254"
}
}
}
}
}
},
"description": "hi",
"settings": {},
"version": "7.9.2",
"create_time": 1604933401081
}
And I detect a problem...
If a user has at some point (let's say one month ago) has IP 192.168.140.2, the transform will put it into the client_index_transformed index.. which is good...
The problem is that today the user has IP 192.168.240.3 shouldn't update the client_index_transformed index with the timestamp.. but it does..
So, If I query the client_index_transformed index for that user, the max @timestamp will be today and not one month ago... why is that and how to avoid it?
Thanks!