Clever Geek Handbook

ElasticSearch: series of events (is it possible to create an ordered list?)

I am using the latest version of Logstash, ElasticSearch and Kibana for parsing / filtering / stock / querying and rendering logs. I am working on a series of events.

This record registers users doing events at different times (in a specific order).

Example:

 {
   "name" : "user1",
   "event" : "event1",
   "timestamp" : 31/Dec/2014:23:50:00 +0000
 }
 {
   "name" : "user1",
   "event" : "event2",
   "timestamp" : 31/Dec/2014:23:52:00 +0000
 }
 {
   "name" : "user2",
   "event" : "event1",
   "timestamp" : 31/Dec/2014:23:52:00 +0000
 }
 {
   "name" : "user2",
   "event" : "event1",
   "timestamp" : 31/Dec/2014:23:57:00 +0000
 }
 {
   "name" : "user3",
   "event" : "event3",
   "timestamp" : 31/Dec/2014:23:50:00 +0000
 }

I would like to count the number of unique users for each possible sequence of events . Answered this question: How many users completed a specific sequence of events?

In this example, as a result of the request, I would like something like this:

 "EVENTS" : [
     {
         "key" : "event1", "doc_count" : 2,
         "CHILDREN " : [
             {"key" : "event2", "doc_count" : 1}
             {"key" : "event1", "doc_count" : 1}
         ]
     },
     {
         "key" : "event3","doc_count" : 1     
     }
 ]

Here we can say: There are 2 users who start with "event1", 1 continue with "event2" and others with "event1", and there are 1 users who begin with "event3".

So, I would like to aggregate user events in order of order (starting with the first and then the next events).

I'm new to this, but I've researched a lot and done a lot of brainstorming already.

  • I already did the aggregation on the "name" field, then the aggregation on the "event" field, sorted by timestamp, which gives me the ordered events by the user. But then I can't do the aggregation over / from this buckets result by taking first, then the second .... Or am I missing something?
  • Then I got curious about a new way to index my data: create a unique ID for each user and update / update the event in the ordered list over and over again. Thus, it is possible to manipulate an array field by adding elements and preserving the order . I've already tried tag, but it is not an ordered array, so I can't access tags [0], tags [1] .... Same for nested object. Am I correct?
  • Last idea: if I had an ordered list, adding the name of the iterative field as the order of occurrence. Something like:{"0":"event1", "1":"event2", "2":"event3"}

But I cannot find an easy way to do this.

Any idea (s) / help?

Thank!

+3


source to share


No one has answered this question yet

Check out similar questions:



More articles:


All Articles