Logstash Aggregate with multiple end tags

ptamba · May 17, 2020, 7:41am

if you are sure that the event tag only have either Saved or Saved, Modified , then you can access the modified timestamp with %{event_tag[1]}. since they are on the same column, i imagine the eveng_tag will be in array.

then you could go with :

if “Modified” in [event_tag] { 
  filter { 
    #elapsed filter with %{event_tag[1]} as end value 
  } 
} 

else { 
  filter {
     #elapsed filter with %{event_tag[0]} as end value
  } 
}

the best way will be using ruby filter to extract the time stamp from either Saved or Modified. Here’s an example

Topic		Replies	Views
Measuring multiple event durations with elapsed plugin Logstash	2	621	December 15, 2017
Elapsed Filter - Save tags/fields from start event Logstash	1	401	October 8, 2018
Multiple elapsed.time on a single event Logstash	1	703	July 6, 2017
Calculate elapsed time for multiple end events Logstash	3	908	December 4, 2019
Avoid duplicates code in Logstash Logstash	4	124	May 4, 2024

Logstash Aggregate with multiple end tags

Related topics