Event.duration bug

maltewhiite · October 14, 2021, 2:12pm

I have a field as a double in milliseconds. I want to turn it into nanoseconds and apply it to the event.duration field in logstash, so I can monitor how long certain events take for my machines to process.

Here is the Logstash code:

        if [idm][response] == "RESULT" {
            mutate {
                convert => {
                    "[idm][result][etime]" => "float"
                    "[idm][result][optime]" => "float"
                    "[idm][result][wtime]" => "float"
                    "[idm][result][tag]" => "integer"
                }
            }
            if [idm][result][etime] {
                ruby {
                    code => "event.set('[event][duration]', ((event.get('[idm][result][etime]').to_f) * 1000000).round)"
                }
            }
        }

Here is how it looks in Kibana. It only shows 0.0 or 0.1:

Now, the strange part is that it looks like it works, if I do the following, and filter for value:

And then edit the filter, it will actually show me the correct value that I want the event.duration field to have:

So why is it showing 0.0 and not 1165? The Filter knows it is 1165 but the Kibana UI shows 0.0
See, the UI shows 0.0

But the JSON shows the right number:

AquaX · October 15, 2021, 3:36pm

In Kibana, check your index pattern for that field and define the number of decimal places you want to show for event.duration

maltewhiite · October 18, 2021, 7:22am

But the real number for event.duration in the example in the JSON is 1165

Showing more decimal places wouldn't change anything?

maltewhiite · October 18, 2021, 7:29am

I checked anyway, just to be sure, and it turns out you pointed me in the right direction.

The Documentation tells us to set event.duration as the Duration in Nanoseconds. So I just assumed that the Kibana field would show it in Nanoseconds as well. But apparently it is showing it in Milliseconds. Doesn't seem very intuitive, but oh well.

I can now raise the Decimal places as I see fit. Thanks.

AquaX · October 18, 2021, 1:45pm

Wonderful! Glad you got it sorted out

system · November 15, 2021, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.