I'm using elapsed plugin.
I have start event, and end event.
if [trigger_status] == "PROBLEM" {
mutate{ add_tag => [ "taskStarted" ]}
}
if [trigger_status] == "OK" {
mutate{ add_tag => [ "taskTerminated" ]}
}
elapsed {
start_tag => "taskStarted"
end_tag => "taskTerminated"
unique_id_field => "trigger_id"
}
Is it possible to add TAG at start event when end event get match?
maybe, searching for the last trigger_id and adding the tag...