Event.duration bug

maltewhiite · October 14, 2021, 2:12pm

I have a field as a double in milliseconds. I want to turn it into nanoseconds and apply it to the event.duration field in logstash, so I can monitor how long certain events take for my machines to process.

Here is the Logstash code:

        if [idm][response] == "RESULT" {
            mutate {
                convert => {
                    "[idm][result][etime]" => "float"
                    "[idm][result][optime]" => "float"
                    "[idm][result][wtime]" => "float"
                    "[idm][result][tag]" => "integer"
                }
            }
            if [idm][result][etime] {
                ruby {
                    code => "event.set('[event][duration]', ((event.get('[idm][result][etime]').to_f) * 1000000).round)"
                }
            }
        }

Here is how it looks in Kibana. It only shows 0.0 or 0.1:

Now, the strange part is that it looks like it works, if I do the following, and filter for value:

And then edit the filter, it will actually show me the correct value that I want the event.duration field to have:

So why is it showing 0.0 and not 1165? The Filter knows it is 1165 but the Kibana UI shows 0.0
See, the UI shows 0.0

But the JSON shows the right number:

AquaX · October 15, 2021, 3:36pm

In Kibana, check your index pattern for that field and define the number of decimal places you want to show for event.duration

maltewhiite · October 18, 2021, 7:22am

But the real number for event.duration in the example in the JSON is 1165

Showing more decimal places wouldn't change anything?

maltewhiite · October 18, 2021, 7:29am

I checked anyway, just to be sure, and it turns out you pointed me in the right direction.

The Documentation tells us to set event.duration as the Duration in Nanoseconds. So I just assumed that the Kibana field would show it in Nanoseconds as well. But apparently it is showing it in Milliseconds. Doesn't seem very intuitive, but oh well.

I can now raise the Decimal places as I see fit. Thanks.

AquaX · October 18, 2021, 1:45pm

Wonderful! Glad you got it sorted out

system · November 15, 2021, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IIS Event.Duration Doesn't seem Queryable? Kibana	5	675	May 23, 2020
Elapsed Plugin 'expired' events create new index with incorrect field mapping Logstash	1	335	October 15, 2021
How to index nanoseconds precision events with Logstash (7.10) and type date_nanos Logstash	1	5415	February 21, 2021
@timestamp in microseconds Logstash	5	6643	February 6, 2017
Duration_in_millis shows too high values Logstash	3	3502	December 20, 2017

Event.duration bug

Related topics