Hi Jürgen,
There's not really a join operation in Elasticsearch or Kibana. But there might be a way to get what you need. I have winlogbeat installed on Windows Home version. If you give me a little direction for turning on the audit logging for file shares I could look at similar data as you.
Are you getting separate docs in Elasticsearch where some docs have the deleted file event_id and a file id, and other docs which the file id and file name? And if so, is it a 1 to 1 match?
Can you post a couple of example docs here?
Thanks,
Lee