hi there!
i use elapsed filter to have elapsed time of round txn and dropout count.
now i can only add one unique_id_field, actually it's not enough for my customization
is there anyway to add multiple ids in elapsed filter?
i would appreciate every single advice 
i found my way and let me share it 
i create one field (field1+field2) at grok filter
and when reach to elapsed filter i split it into two fields
here is sample code
if "ReqTestPage123" in [message] {
grok {
# txn start
break_on_match => false
match => { "message" => ["^(?<timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?(?<threadno>\d+).*?%{WORD:log_level}.*?ReqTestPage123\s{0,}::\s+%{WORD:session_id}{0,1}\s{0,}::", "\|inv_no=%{DATA:invoice_id}\|mid=%{DATA:mid}\|"]}
add_field => { "log_type" => "request" }
add_field => { "dropout_trace_id" => "%{mid}+%{invoice_id}" }
add_tag => ["req"]
}
}
else if "ResTestPage123" in [message] {
grok {
match => { "message" => ["^(?<timestamp>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{1,3}).*?(?<threadno>\d+).*?%{WORD:log_level}.*?ResTestPage123\s{0,}::\s+%{WORD:session_id}{0,1}\s{0,}::", "\|inv_no=%{DATA:invoice_id}\|mid=%{DATA:mid}\|"]}
add_field => { "log_type" => "response" }
add_field => { "dropout_trace_id" => "%{mid}+%{invoice_id}" }
add_tag => ["res"]
}
}
elapsed {
start_tag => "req"
end_tag => "res"
unique_id_field => "dropout_trace_id"
periodic_flush => true
timeout => 10
add_tag => ["dropout"]
}
if ![message] {
if [dropout_trace_id] {
mutate {
split => { "dropout_trace_id" => "+" }
add_field => { "mid" => "%{[dropout_trace_id][0]}" }
add_field => { "invoice_id" => "%{[dropout_trace_id][1]}" }
remove_field => [ "dropout_trace_id" ]
}
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.