Hi there,
Its a long story that i cant get into here(!) but the data we are pushing through logstash and further on into elasticsearch is not in real time and is on a regular 10 minute loop by a cron job. Therefore our document hit has two timestamps, the "@timestamp" field which represents the time the document was added to the index and another "timestamp" field which we extract as the actual timestamp in the original log. We use that latter as the default field for the time filter field explorer allowing us to search properly.
Sob story over... We are now using the elapsed filter plugin to monitor the time spent between a start and end transaction. Setting it up and configuring it to watch out for a start message and end message is working correctly and working out the elapsed time, however, it is working out the elapsed time as the difference between the two "@timestamp" fields which you can guess is way off because we dont have something realtime like filebeat installed.
Is there any way that i can change the elapsed filter to calculate it from a different timestamp field? I can't seem to find anything on it and think i may be s**t out of luck.
Any help appreciated!