How to add field for the duration of a session?


(Yeroc) #1

We have some logs where some critical information (such as username) is logged once at the beginning of a user's session (these are web applicaiton logs) and we'd like to associate this information in a field for all the following events associated with that same session_id. Is there a way to do this in logstash? I thought this would be something that would come up more commonly but I didn't turn up anything in any searches. The idea would be to store a value into a persistent hash that could then be retrieved on subsequent events. Typically, a session_id or similar would be used and there'd have to be some mechanism to delete the values from the hash to keep it from growing without bound. The closest filter I could find is the 'elapsed' filter.

Thanks,
Corey


(rastro) #2

Check out the elapsed{} filter, which can compute the duration.


(Yeroc) #3

Yes, as mentioned in my original post, I've seen the elapsed filter which comes closest to what I want but note that I'm not trying to measure elapsed times. I'm trying to capture a value during the creation of a session so that I can log it with all events associated with that session later on. Picture a username which is logged at login time but all that is logged thereafter is a sessionid but I want to then include the username on all my events stored in elasticsearch to ease diagnosis of issues.

Corey


(rastro) #4

You could use the elapsed filter as a prototype of how to build that cache as a filter.

I'm currently doing a similar process via a small external python script from cron.


(system) #5