I know a quite similar question was raised in Time between timestamp but a clear answer wasn't given there.
I would like to calculate the difference between every consecutive logs timestamp and insert the result as a new field in the latter log.
I guess the elapsed filter is my best bet, but I am rather new to logstash and I couldn't find out how I should do it.
Any help would be appreciated.
i don't think you could do that with the elapsed filter because for him an event can only be a start event for the timer OR an end event.
I think your only possibility will be the ruby filter.
Any idea on how can I get the timestamp of the previous log with ruby? With that the problem should be solved.
You can saved it in a variable of the ruby plugin (needs worker set to 1 like the elapsed plugin to give always the correct value)
it should be something like this:
ruby {
ruby {
init => "$last_time = 0.0;"
code => "event.set('elapsed_time', event.get('@timestamp').to_f-$last_time); $last_time = event.get('@timestamp').to_f;"
}
}
untested because i didn't have a test system handy where i can test this
EDIT: ok i have tested it now there where some errors in there that i have now fixed and it has now a higher precision (not only down to 1s)
Thank you for the help. It seems to work fine.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.