Not sure if this belongs in Kibana or Elastic but here goes.
I've got some log data (openldap) in elasticsearch but as single lines, so the connect IP is on a different line from the bind command is on a different line from the TLS negotiation...
I can user connectionID to link these records, so a search for say connections from 192.168.0.1 and only return connectionID. If I then search by the returned connectionID instead of IP then I get the transactions for the IP.
Time connection operation_type openldap_message September 13th 2018, 12:47:50.409 405248 ACCEPT from IP=192.168.0.1:1234 (IP=0.0.0.0:636) September 13th 2018, 12:47:50.417 405248 TLS established tls_ssf=128 ssf=128 September 13th 2018, 12:47:50.418 405248 BIND dn="" method=128 September 13th 2018, 12:47:50.418 405248 RESULT tag=97 err=0 text= September 13th 2018, 12:47:50.418 405248 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=monitor)" September 13th 2018, 12:47:50.477 405248 SEARCH RESULT tag=101 err=0 nentries=0 text= September 13th 2018, 12:47:50.478 405248 UNBIND - September 13th 2018, 12:47:50.478 405248 - closed
Is there any way to make this easier / automate it a bit so that I can search for all the connectionIDs associated with an IP address and return the records for those connectionIDs?
Buckets or scripting look like possibilities but I'm not sure where to start (point me at logs / demos/ training please