Find time difference between series of events with uniqueid

GokulD · December 7, 2020, 9:09pm

Hi ,

I have requirement where I have series of events that has a unique trace id. I want to find and take the timestamp from the first and last event of this id and find the difference.

Since I dont have any start and end tag to track for those events, i'm not able to use elpased filter. Is there a way with which I can achieve this requirement ?

Below is the sample log:

e65f915e-d3c4-471b-89eb-3613cd1f3c54 asd {"timestamp":"2020-10-29 08:18:48.893"}
e65f915e-d3c4-471b-89eb-3613cd1f3c54 def {"timestamp":"2020-10-29 08:18:49.111"}

Badger · December 7, 2020, 9:16pm

You may be able to use an aggregate filter. See example 3 in the documentation.

An example of calculating time difference is here.

GokulD · December 7, 2020, 9:31pm

Thank you so much for your reply.

However for calculating the timedifference I should be able to get the timestamp of the first event and last event from the series of events of the same trace id. Does aggregate have option for this?

Badger · December 7, 2020, 10:03pm

In the aggregate filter you would use some code like

code => '
    map["firstEvent"] ||=  event.get("@timestamp")
    map["lastEvent"] =  event.get("@timestamp")
'
timeout_code => '
    require "time"
    starttime = Time.iso8601(event.get("firstEvent").to_s).to_f
    endtime   = Time.iso8601(event.get("lastEvent").to_s).to_f
    event.set("overallTime", endtime - starttime)
'

GokulD · December 10, 2020, 7:16pm

Thanks very much, it worked!!!.

We also have requirement where on the same series of event instead of taking the timestamp for the last event we want to take the timestamp of a event in-between and find difference based on that.

For example we have the below series of events

65f915e-d3c4-471b-89eb-3613cd1f3c54 asd {"timestamp":"2020-10-29 08:18:48.893"}
e65f915e-d3c4-471b-89eb-3613cd1f3c54 def {"timestamp":"2020-10-29 08:18:49.111","status":"COMPLETED"}
e65f915e-d3c4-471b-89eb-3613cd1f3c54 def {"timestamp":"2020-10-29 08:18:49.111"}

So based on the key status is it possible to take the timestamp of that event and calculate ?

Badger · December 10, 2020, 8:45pm

You could replace that with something like

if event.get("message").include?("COMPLETED")
    map["lastEvent"] =  event.get("@timestamp")
end

You may then need error handling if there are cases where that string does not occur, so lastEvent never gets set.

system · January 7, 2021, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Calculate time difference between 2 events with unique id Logstash	2	374	January 13, 2023
Calculate time between different events with same ID Logstash	1	298	May 31, 2020
Combining two events in one to calculate time difference Logstash	3	2107	January 13, 2022
How to use aggregate function in logstash to calculate difference between 'elapsed' time fields? Logstash	5	950	May 26, 2020
Logstash Aggregate with multiple end tags Logstash	6	594	June 14, 2020

Find time difference between series of events with uniqueid

Related Topics