Hello!
I need to join some responses and requests to have request time in response JSON.
For each request-response pair I have unique trace_id that looks like "dd4b46b0-44da-473e-8775-d90cce583b0f"
Solution for that was shown up in example
My logstash config:
filter {
elasticsearch
{
hosts => ["127.0.0.1:9200"]
query => "trace_id:%{[trace_id]}"
fields = {"time" => "req_timestamp"}
}
}
Problem is that when I look for trace_id "dd4b46b0-44da-473e-8775-d90cce583b0f" it gives me the time of th request with trace_id "3447da40-473e-4518-b8cd-4a742f419647" because they have the same part "473e".
How to look for a complete trace_id match using this plugin?
I'd suppose it has something to do with the trace_id field being analyzed by default in ElasticSearch and broken down in parts between dashes, hence you get the partial match . You can verify it by checking the mapping of the index or the general template (if one exists).
For a verbatim match try querying the trace_id.keyword subfield (which should be mapped by default if you're using a recent version of ElasticSearch), like so:
filter {
elasticsearch {
hosts => ["127.0.0.1:9200"]
query => "trace_id.keyword:%{[trace_id]}"
fields = {
"time" => "req_timestamp"
}
}
}did it with
query => 'trace_id:"%{[trace_id]}"'
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.