I'm tracking user sessions as docs in ES.
Each session is a single doc that gets updated when ever the session state changes.
I'm using daily based indices, and the ID of the doc is the session ID (UUID).
If a session starts before the end of a day, but continues on to the next day, the update will look for it only in the next day's index and thus won't find it and will create a new doc, right?
How can I make logstash look up the doc in multiple indices so I will really only have a single doc per session? Or is there a better way to handle this?
i have an Idea, but it's a little bit complicated. I think the decission in which Index the event is written depends on the timestamp of the doc or other specific fields.
Configure the filter plugin, so that you "join" specific fields (that are responsible for writing in the time based index) from the existing entry in ES. If there is no existing entry with the same UUID, the filter plugin doesn' join anything (because ther is nothing to join) and the doc won't be modified.
If the filter plugin joined the fields of the existing entry, delete the unnecessary and keep the necessary fields for the correct updating to the "old" index.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.