i want to calculate the difference in time between 2 logs different and add the value to a new field
i search in google and i find that is possible with painless scripting but i dont know how to do it
if there is anyone who already use painless scripting to add new fields can help me
btw i inject logs with filebeat to elastic saerch
thank you so much
On its own, using painless to add a field is pretty straightforward. This would be easier to accomplish if the time differences were stored on the same document. Here's an example _update_by_query painless script of that scenario:
POST log_duration_testing/_update_by_query
{
"query": {
"match_all": {}
},
"script": {
"lang": "painless",
"source": """
ZonedDateTime zdt_start = ZonedDateTime.parse(ctx._source['event_start_datetime']);
ZonedDateTime zdt_stop = ZonedDateTime.parse(ctx._source.event_stop_datetime);
long event_start_datetime_millis = zdt_start.toInstant().toEpochMilli();
long event_stop_datetime_millis = zdt_stop.toInstant().toEpochMilli();
long durationMillis = event_stop_datetime_millis - event_start_datetime_millis;
ctx._source.duration_sec = durationMillis / 1000;
"""
}
}
When run, this would update all documents in the log_duration_testing index and add a field called duration_sec based on the difference between the fields event_stop_datetime and event_start_datetime.
However, if you're looking to compare the differences in time between separate documents, that becomes a different tactic.
One way to accomplish this would be to do something similar to what is discussed here with transforms.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.