Hello,
I am migrating from Splunk to ELK and I am trying to find a similar function to the "transaction" function in Splunk.
This function aggregates events who shares a common value in a defined field and offers a useful function "duration" that give the time elapsed between the events.
I saw that the "elapsed" function in Logstash would propose something similar but It's not quite possible in our architecture.
Is there a way to obtain a similar function in Kibana ?
Thank you.
Unfortunately, there does not appear to be an aggregation in Elasticsearch that can compute duration between documents. So there is no way to do this in Kibana.
Computing the duration as a field in the document (such as using the elapsed function in Logstash) is the best way to do this.
There is more background information in this thread. How to find correlated messages and time between them
Thanks for this first response.
As I said, the implementation of the elapsed function seems to be difficult in our actual architecture...
The fact is that each event has an absolute date field, and an event_id field
Is is possible to associate events on a common field in Kibana ?
Then would it be possible to compute the "time difference" betwenn this two elements (maybe with a Timelion request) ?
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.