Elapsed filter and logstash 1.5

sanaya · June 9, 2015, 4:09pm

Hello,

I'm just getting started with logstash, and I have been using the elapsed filter on version 1.4.2.
However, upgrading to version 1.5 the elapsed filter doesn't seem to generate an expired event any more. Is there a new configuration for the filter I'm not seeing or is this a bug?

I'm running on a windows platform.

Thanks

warkolm · June 10, 2015, 3:17am

Can you provide your config?

sanaya · June 10, 2015, 4:02pm

input {
  file {
         path => "C:/temp/combined.txt"
         type => "TG"
		 start_position => "beginning"
		 sincedb_path => "C:/temp/combined_sincedb"
       }
 }

filter {
    if [type] == "TG" {
	  
      grok {
         match => ["message", "\[%{TIMESTAMP_ISO8601:LogTimestamp}\] %{WORD:Status}-%{GREEDYDATA:RepId}, %{GREEDYDATA:Test}, Session:%{GREEDYDATA:Session}, package id: %{UUID:ClientPackageIdentifier}, %{TIMESTAMP_ISO8601:SentAt}, (?<ClientIdentifier>\S*)",
		                 "message", "\[%{TIMESTAMP_ISO8601:LogTimestamp}\] %{WORD:Status}-%{GREEDYDATA:RepId}, Session:%{GREEDYDATA:Session}, package id: %{UUID:ClientPackageIdentifier}, %{TIMESTAMP_ISO8601:ReceivedAt}, Sequence:%{NUMBER:Sequence}, RequestRetries:%{NUMBER:RequestRetries}, ResponseRetries:%{NUMBER:ResponseRetries}, %{WORD:ResponseReason}, %{WORD:ErrorCode}, Occured at: %{TIMESTAMP_ISO8601:OccuredAt}, SSI:%{POSINT:SSI}, ClientId: (?<ClientIdentifier>\S*)"
		 ]
		 
		 add_tag => [ "%{ClientIdentifier}" ]
		 add_tag => [ "%{Status}" ]
      }	
	  
      date {
	           match => ["LogTimestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
       }

	if "_grokparsefailure" in [tags] {
      drop { }
    }	
 }
 
	elapsed {
	   start_tag => "Sending"
	   end_tag => "Response"
	   unique_id_field => "ClientPackageIdentifier"
	   timeout => 60
	   new_event_on_match => false
	}
}

 output {
    elasticsearch { 
	   host => "localhost"
	   index => "test"
	   protocol => "http"
	   }
    file {
        path => "c:\temp\result.txt"
		flush_interval => 0
	}
	
}

The status field is either Sending or Response which is my start and stop tag.

Thanks!

sanaya · July 2, 2015, 9:52pm

Any followup on this?

I tried with the latest 1.5.2 version of Logstash, and still don't get an elapsed.expired_error event.

Thanks.