The second line goes through the second aggregate filter, and that does not have any timeout options set, so it does not do timeout processing. You can only have timeout options on one aggregate filter. If you try to add them to the second aggregate you will get an error.
We could change things to use a single aggregate
aggregate {
task_id => "%{taskid}"
timeout_timestamp_field => "event_time"
timeout_task_id_field => "taskid"
code => '
map["sql_duration"] ||= 0
d = event.get("duration")
if d
map["sql_duration"] += d
end
'
timeout => 20
push_map_as_event_on_timeout => true
}
This will trigger the timeout on the second line, but timeout processing occurs before the code block executes, so the event that is created at that time will have duration set to 0. Another event created by a later timeout will have the correct value in it.