Calculate time difference between 2 events with unique id

Elastic Stack Logstash
1

Hi,

I have two events with same field idRda like the following, I need to calculate the difference between the timestamp

"message": "2022-12-13 14:52:00.399 {[ACTIVE] ExecuteThread: 5 for queue: weblogic.kernel.Default (self-tuning)} INFO idRda:[4040477] timestamp:[1670939520399]",
"message": "2022-12-13 14:52:06.203 {[ACTIVE] ExecuteThread: 12 for queue: weblogic.kernel.Default (self-tuning)} INFO idRda:[4040477] timestamp:[1670939526203]",

I try to use aggregate filter but for the moment it doesn't work.

filter {

  aggregate {
    task_id => "%{idreport}"
    code => '
    map["firstEvent"] ||=  event.get("timestamp")
    map["lastEvent"] =  event.get("timestamp")'
    timeout_code => '
    require "time"
    starttime = Time.iso8601(event.get("firstEvent").to_s).to_f
    endtime   = Time.iso8601(event.get("lastEvent").to_s).to_f
    event.set("overallTime", endtime - starttime)'
  }
}

Thank you
Regards.

2

Unless you are setting push_map_as_event_on_timeout the event will not have those fields.

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.