Bumped the problem with Elapsed filter.
Using single pipeline worker but still...
Trying to calculate elapsed time between 2 events from different log files on same host.
Both events have uniqe field, correct tags, shipped with filebeat to Logstash.
The problem is elapsed_end_without_start , it occurs because start event is from one file and end event from another. End event processed before start event while end event has more recent timestamp.
The cause I guess that filebeat make bulk disregarding timestamp or read time.
Is there a way to sort messages or delay input send/read? Or there a need to modify Elapsed filter in a way to wait some time for start event?
If they are in the wrong order you could use an aggregate filter instead of an elapsed filter.