Processing potentially several thousands of events per second, the elapsed filter plugin seems to miss about 10% of my start/end tagged events. The tag message I often see in the "end" events is elapsed_end_without_start.
Maybe you have a suggestion for why I'm missing start events? Here's the relevant logstash filter:
filter {
csv {
separator => ","
columns => ["timestamp", "environment", "program", "pid", "dbcode", "event", "resource_type", "primary_id", "secondary_id", "action"]
}
date {
match => ["timestamp", "ISO8601"]
}
if [resource_type] == "timecard" and [resource_id] {
if [event] =~ /BEGIN$/ or [event] =~ /END$/ {
mutate {
add_field => {
"transaction_id" => "%{resource_id}_%{environment}_%{pid}"
}
add_tag => ["%{event}"]
}
elapsed {
start_tag => "CALC_FOO_BEGIN"
end_tag => "CALC_FOO_END"
unique_id_field => "transaction_id"
timeout => 600
}
elapsed {
start_tag => "CALC_BAR_BEGIN"
end_tag => "CALC_BAR_END"
unique_id_field => "transaction_id"
timeout => 600
}
elapsed {
start_tag => "CALC_BAZ_BEGIN"
end_tag => "CALC_BAZ_END"
unique_id_field => "transaction_id"
timeout => 600
}
}
}
}