Logs Timestamp

Elastic Stack Kibana
1

Hi ,

I am trying to fetch total timings taken by a Job from Status A to Status B from logs, extracted Log timestamp column,status, jobid from logs in Kibana, How can we extract the total time taken by the Job ID and visualize this in Kibana graph,
Can you please provide support..

Thank you,
Priti

2

Hi Priti,

This is actually rather difficult to do in Kibana. One way is by getting the data into an entity-centric index in Elasticsearch. What this means is that instead of having a time-based index where each event is indexed into Elasticsearch you would have one document per JobID and those documents would get updated with the time for each status and duration.

Here's the only "solution" I know of that could work directly in Kibana using Advanced JSON field in a Kibana visualization. But if you have a large index, the performance could be a problem;

Related links;

3

Hi PritiS

Do you use logstash and realtime log shipping? If so, lucky you.

I solved by using logstash grok filter and elapsed filter.
For instance, let me share how to do

  • make start point for Status A log
  • make end point for Status B log
  • then connect start point and end point using by unique id (eg: jobid)

if "StatusA" in [message] {
grok {
match => { "message" => [ "grok pattern for your StatusALog. Let's say you will get status, jobid"]}
add_field => { "log_type" => "StatusA" }
add_tag => ["status_a"]
}
}

else if "StatusB" in [message] {
grok {
match => { "message" => [ "grok pattern for your StatusBLog. Let's say you will get status, jobid"]}
add_field => { "log_type" => "StatusB" }
add_tag => ["status_b"]
}
}

elapsed {
start_tag => "status_a"
end_tag => "status_b"
unique_id_field => "jobid"
periodic_flush => true
timeout => 2100
}

You will see elapsed_time, elapsed_timestamp_start fields at StatusB log in kibana. elapsed_time is different timestamp of StatusA and StatusB. elapsed_time field is float type. It's cool.
Then visualize it. I use TimeLion visualization. Here is my sample.
Y-axis : elapsed_time (in sec)
X-axis : time

share
share1187×352 26.3 KB

But plz note that elapsed_time values are only accurate at same CPU.
If pipeline.workers: 1, the result will accurate.
If pipeline.workers: 2, the result won't accurate.

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.