Hi everyone,
Here is a task that puzzles me: I am looking at events of remote connections and I want to display the connections that are currently active. One Connection has evetns like “login”, “authentication_try”, “session_closed”, etc. and the same session_id. The number of logs with the same session _id may vary, since, for example, there might be more than one authentication_try.
So I would like to first group all events with the same session_id and then filter out those, that do not have a “session_closed” event.
I tried to implement this with one or two streams (join) but did not come to a solution. With one stream I cannot give an exact number of logs “having same session_id”, with two streams I would need something like
“[session_id=*] as first-stream
join
[session_id=*] as second-stream
on first-stream.session_id=second-stream.session_id AND first-stream.log_ts!=second-stream.log_ts”. Also a “not followed by” could have been a solution for this, which does not exist.
Does anyone have an Idea how to accomplish this (without using a Playbook).
Best regards
Georg