Hi, I apologize in advance if the request appears incorrect
I need calculate the time difference between a request and response of a REST service, this service produce two logs, one for request e and one for response and have a different structure, I am therefore forced to use two grok filters.
With this premise, below is an example of how it could be
filter {
grok {
# grok service
match => { "message" => "\"%{GREEDYDATA:url}/service-name\"" }
add_field => [ "name", "match-service" ]
}
if [name] == "match-service" {
# grok request service
grok {
match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"transId: %{GREEDYDATA:transactionId}\"\|\"reqId: %{GREEDYDATA:requestId}\"\|...." }
add_field => [ "service", "request" ]
}
if [service] == "request" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss:SSS" ] target => "t1"
}
}
# grok response service
grok {
match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"transId: %{GREEDYDATA:transactionId}\"\|\"resId: %{GREEDYDATA:responseId}\"\|...." }
add_field => [ "service", "response" ]
}
if [service] == "response" {
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss:SSS" ] target => "t2"
}
}
}
}
Could I aggregate the logs to get the difference between t2 and t1 ? I think it can be done with aggregate setting transactionId as task_id but I don't know if it's possible
Thanks