Calculate time delta between log entries with matching ID and matching Command

Toon_Van_Eyck · November 28, 2017, 4:17pm

I have some logs in my elasticsearch database formated like this:

Timestamp                           |   ID  |  Command
------------------------------------+-------+---------------------------
November 24th 2017, 14:49:00.11614  |   0   |  CONNECTION_REQUEST
November 24th 2017, 14:49:00.13510  |   1   |  CONNECTION_REQUEST
November 24th 2017, 14:49:00.18714  |   0   |  CONNECTION_COMPLETE
November 24th 2017, 14:49:00.26010  |   1   |  CONNECTION_COMPLETE
November 24th 2017, 14:50:20.7850   |   2   |  CONNECTION_REQUEST
November 24th 2017, 14:50:20.8051   |   2   |  CONNECTION_REQUEST
November 24th 2017, 14:50:20.8450   |   2   |  CONNECTION_COMPLETE

There are connection_requests and connection_completed messages that both specify an ID. It can occur that A connection_request is retransmitted before the connection_complete happened. There are also logs in between with other commands but they are not concidered here.

What I want to calculate is the time between the first connection_request and the connection_complete for each ID

e.g.:

Time_0 = November 24th 2017, 14:49:00.18714 - November 24th 2017, 14:49:00.11614 = 7100ms
Time_1 = November 24th 2017, 14:49:00.26010 - November 24th 2017, 14:49:00.13510 = 12500ms
Time_2 = November 24th 2017, 14:50:20.8450  - November 24th 2017, 14:50:20.7850  = 600ms

I can make a bucket of the CONNECTION_COMPLETE logs but then how do I get the first occurrence of CONNECTION_REQUEST with the same ID before the timestamp of the CONNECTION_COMPLETE. I don't really know what aggregator(s) to use and how to make them interact with each other

Joe_Fleming · November 28, 2017, 7:23pm

You're not going to be able to do this in Kibana's visualizations, since this isn't an aggregation operation. What you need is a way to query for the first command and then query again for the second command and do an operation on the values from both. I believe pipeline aggs will allow you to do what you want, but Kibana's core visualizations don't support them.

You could change your data to enable this, and then it becomes pretty easy, but you offload the calculation to the indexing process. Basically, you store both times in a single document, and you could even calculate the delta as you update the document with the CONNECTION_COMPLETE time. But the way you are indexing data right now, this isn't possible in Kibana, and it's tricky (or maybe impossible, I'm not 100% that pipelines can do this) to query this in Elasticsearch.

stevedearl · November 30, 2017, 3:01pm

Take a look at the 'Elapsed' plugin for Logstash - we're using this to do exactly what you need. As long as you have a unique correlating ID between the start and end transactions you want to calculate the time between it will work.

Cheers,
Steve

system · December 28, 2017, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Calculate delta time between the log and pervious one Kibana	4	494	February 4, 2019
Need help to calculate time delta in ES/Kibana Kibana elastic-stack-reporting	6	5875	June 19, 2017
Calculating time between two events from same request id Kibana	4	526	April 17, 2024
Comparing date/time from two different documents Kibana	9	3355	June 5, 2018
How to calculate time difference between 2 log lines for a unique ID Kibana	5	8586	December 26, 2018

Calculate time delta between log entries with matching ID and matching Command

Related topics