Bumped the problem with Elapsed filter.
Using single pipeline worker but still...
Trying to calculate elapsed time between 2 events from different log files on same host.
Both events have uniqe field, correct tags, shipped with filebeat to Logstash.
The problem is elapsed_end_without_start , it occurs because start event is from one file and end event from another. End event processed before start event while end event has more recent timestamp.
The cause I guess that filebeat make bulk disregarding timestamp or read time.
Is there a way to sort messages or delay input send/read? Or there a need to modify Elapsed filter in a way to wait some time for start event?
If they are in the wrong order you could use an aggregate filter instead of an elapsed filter.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.