Hello,
I'm just getting started with logstash, and I have been using the elapsed filter on version 1.4.2.
However, upgrading to version 1.5 the elapsed filter doesn't seem to generate an expired event any more. Is there a new configuration for the filter I'm not seeing or is this a bug?
I'm running on a windows platform.
Thanks
warkolm
(Mark Walkom)
June 10, 2015, 3:17am
2
Can you provide your config?
sanaya
June 10, 2015, 4:02pm
3
input {
file {
path => "C:/temp/combined.txt"
type => "TG"
start_position => "beginning"
sincedb_path => "C:/temp/combined_sincedb"
}
}
filter {
if [type] == "TG" {
grok {
match => ["message", "\[%{TIMESTAMP_ISO8601:LogTimestamp}\] %{WORD:Status}-%{GREEDYDATA:RepId}, %{GREEDYDATA:Test}, Session:%{GREEDYDATA:Session}, package id: %{UUID:ClientPackageIdentifier}, %{TIMESTAMP_ISO8601:SentAt}, (?<ClientIdentifier>\S*)",
"message", "\[%{TIMESTAMP_ISO8601:LogTimestamp}\] %{WORD:Status}-%{GREEDYDATA:RepId}, Session:%{GREEDYDATA:Session}, package id: %{UUID:ClientPackageIdentifier}, %{TIMESTAMP_ISO8601:ReceivedAt}, Sequence:%{NUMBER:Sequence}, RequestRetries:%{NUMBER:RequestRetries}, ResponseRetries:%{NUMBER:ResponseRetries}, %{WORD:ResponseReason}, %{WORD:ErrorCode}, Occured at: %{TIMESTAMP_ISO8601:OccuredAt}, SSI:%{POSINT:SSI}, ClientId: (?<ClientIdentifier>\S*)"
]
add_tag => [ "%{ClientIdentifier}" ]
add_tag => [ "%{Status}" ]
}
date {
match => ["LogTimestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
elapsed {
start_tag => "Sending"
end_tag => "Response"
unique_id_field => "ClientPackageIdentifier"
timeout => 60
new_event_on_match => false
}
}
output {
elasticsearch {
host => "localhost"
index => "test"
protocol => "http"
}
file {
path => "c:\temp\result.txt"
flush_interval => 0
}
}
The status field is either Sending or Response which is my start and stop tag.
Thanks!
1 Like
Any followup on this?
I tried with the latest 1.5.2 version of Logstash, and still don't get an elapsed.expired_error event.
Thanks.