Logstash Aggregate with multiple end tags

ptamba · May 17, 2020, 7:41am

if you are sure that the event tag only have either Saved or Saved, Modified , then you can access the modified timestamp with %{event_tag[1]}. since they are on the same column, i imagine the eveng_tag will be in array.

then you could go with :

if “Modified” in [event_tag] { 
  filter { 
    #elapsed filter with %{event_tag[1]} as end value 
  } 
} 

else { 
  filter {
     #elapsed filter with %{event_tag[0]} as end value
  } 
}

the best way will be using ruby filter to extract the time stamp from either Saved or Modified. Here’s an example

Topic		Replies	Views
Measuring multiple event durations with elapsed plugin Logstash	2	621	December 15, 2017
Calculate elapsed time for multiple end events Logstash	3	908	December 4, 2019
Avoid duplicates code in Logstash Logstash	4	123	May 4, 2024
Logstash elapsed filter plugin: can't connect start and end events Logstash	3	340	September 16, 2021
Aggregate Filter Timeout Logstash	1	729	July 6, 2017

Logstash Aggregate with multiple end tags

Related Topics