Hi,
I have two documents (?) with 3 index:
@timestamp request_id exit process_id
May 18th 2018, 17:17:36.074 965ff327-5aae-11e8-a5e5-196607b31323 - 96608fdb-5aae-11e8-98d0-4d98e324480e
May 18th 2018, 17:17:35.324 965ff327-5aae-11e8-a5e5-196607b31323 400 -
As you can see request_id is the same for both documents, but in one case exist exit
but not process_id
and vice-versa. What I would is having a saved search result in Kibana that will return something like that:
@timestamp request_id exit process_id
May 18th 2018, 17:17:36.074 965ff327-5aae-11e8-a5e5-196607b31323 400 96608fdb-5aae-11e8-98d0-4d98e324480e
I have aggregate the result based on request_id:
GET cwl-2018.05.18/_search
{
"size":"0",
"aggs" : {
"aggregate_req_id" : {
"terms" : { "field" : "request_id.keyword" }
}
}
}
Now I have a response with result of aggregation, sayng that for each bucket there are two documents. I would vertically coalesce that aggregation, so each bucket has a single document. I'm searching for resource but i can't find no more