Our ES index has timestamps, markers for function start and end (in separate documents) and other fields which identify execution environment (ip+pid+tid).
By fixing ip+pid+tid and calculating difference between timestamps of subsequent (end - start) I'll get execution time of function.
Are there any aggregation that looks to ordered series of documents and perform aggregation between two adjusted documents?
You might be able to use logstash to augment the documents with this information. Check the value of the msg field and add tags for start and end then use an elapsed filter.
I had the same issue as you - I have 'transaction start' and 'transaction end' events in a database that I wanted to work out the elapsed time of.
You should take a look at the elapsed-filter plugin. You basically configure it to watch for new events and you give it a field or combination of fields which would result in a unique ID with which to correlate the pair of start/end events. The elapsed filter then keeps a record of 'start' events and when it finds a matching 'end' event it calculates the time difference and inserts it as a new field in the end event (there are some other options).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.