I'm trying to use the 'elapsed' plugin to differentiate between two events. When the plugin detects multiple start events, it uses the first to measure the elapsed time. I would like to add an option for it to use the newest start event instead of the first.
I have a situation where a start event may or may not lead to second event, with the unique identifier staying the same. I need to measure the time between the newest start event and the end event.
Any thoughts on adding this as a standard feature of this plugin?
Quick configuration example:
filter {
elapsed {
start_tag => "start event tag"
end_tag => "end event tag"
unique_id_field => "id field name"
timeout => seconds
new_event_on_match => true/false
start_event => "first"/"newest"
}
}