I'm using elasticsearch + kibana + logstash + filebeat latest 6.4.1 to collect and analyze web logs. The columns of my log are like:
timestamp, http_method, request_uri, http_status, host, user_agent, client_ip, client_port
I have configured ELK to show my logs in Kibana. But now I want to see my logs in sessions. I hope the log lines can be grouped by session and shown in Kibana's Discover page. In my scenario, the log lines with the same (host, client_ip) belong to the same session.
I hope the Discover with session/grouping UI can show all the sessions. And I can still see the log lines inside one session when I click it.
Is it possible to do it? Or what's the best way to do it? Thanks.
Discover shows you the log entries as raw documents as they are stored, you can save the search on Discover, even without filtering anything. Through Vizualize you can create widgets, these can aggregate data like sessions. I usually make one or two "visual builder" for timelines and a data table for (request_uri, host, user_agent, client_ip) and a pie for http_status. With these visuals you can create a Dashboard and include the search result from discover. On this dashboard you can search and filter and if you add the search from discover, the dashboard will show the raw data for each will still show. I only use discover after adding new indices.
https://www.elastic.co/guide/en/kibana/current/visualize.html
https://www.elastic.co/guide/en/kibana/current/dashboard.html
If you really want the index contain the host/client_ip as a aggregate you have to group the data before you store it in elasticsearch. A Dashboard sounds like a better idea.
EDIT: As Waleed Ali described, the visualize could look like this