Hoping to get some guidance here.

I'm trying to correlate session-id's from two different events, a **heartbeat** sent every 10 minutes and a **disconnect** which could be sent any time. The goal is to get the number of active sessions for the last 10 minutes in a kibana visualization.

I don't think this is possible with the raw events in Elasticsearch, is that correct?

Would a logstash pipeline be the general approach here?

It seems like I should be able to use something [like this Aggregate Filter example](https://www.elastic.co/guide/en/logstash-versioned-plugins/current/v2.9.0-plugins-filters-aggregate.html#v2.9.0-plugins-filters-aggregate-example3), using the **heartbeat** to add session-ids to a periodic "active sessions" event and the **shutdown** to remove the session-id. Does this seem like a reasonable approach or is there something simpler?

If this is the approach, can I initialize the next "active sessions" array from the most recent active-sessions event?