I have an index with geo-tagged login records. Each document includes user, time and location for authentications. I want to find all instances where successive logins are impossible. The location and time of the latest login event for each user is compared to the prior login event. The difference in geo points and times that exceed a certain speed (air-travel) indicate impossible login situations. ( I am aware that VPNs and automated logins will produce noise ).
I could do this with an external script that calls the Elasticsearch REST API. However, I feel that I should be able to do this solely with Elasticsearch queries, perhaps creating a temporary index with pairs of the two most recent login events per user. I've only performed simple boolean queries. Any clues how I might accomplish this?