Hello!
I have in Kibana some logs with the following message formats: "Process started with id 5" and "Process ended with id 5".
What I want is to match the two logs based on the id found in the message field and then compute the difference between their two timestamps.
I tried to use a scripted field, but I get a compilation error and Kibana doesn't show me the error message.
How can I manage to match two logs and access their contents?
Thanks in advance.
How are you ingesting your logs? I suggest parsing your message and extracting the id from the message at ingest time. With Logstash you can use the dissect filter to do this. With Beats you can use the dissect ingest processor.
Getting the elapsed time between logs is also easier to do at ingest time. Logstash has an elapsed filter which helps with this.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.