If you want to find the time for which a ticket was open you could use
json { source => "message" remove_field => [ "message" ] }
date { match => [ "log_time", "dd/MM/YYYY HH:mm:ss.SSS" ] }
if [event] == "CREATED" {
aggregate {
task_id => "%{job_id}"
code => 'map["start_time"] = event.get("@timestamp")'
map_action => "create"
}
}
if [event] == "CLOSED" {
aggregate {
task_id => "%{job_id}"
code => 'event.set("duration", event.get("@timestamp") - map["start_time"])'
map_action => "update"
end_of_task => true
timeout => 10
}
}
If your concern is that tickets can be open for a very long time then you could use an approach like this.
The number of tickets created/closed in a time period and the average time a ticket was open are questions I would answer using elasticsearch, not logstash.