I write some logstash filter the count the user online period.
but i got something wrong in my filter. And i don't know how to filter this by different users.
log format is
"|2017-09-28-09:49:18|INFO|JupyterHub|User logged in: jupyter|
......
|2017-09-28-09:49:24|INFO|JupyterHub|User logged out: jupyter|"
i write the filter like:
date {
match => ["[action_start_time]", "yyyy-MM-dd-HH:mm:ss"]
target => "[action_start_timed]"
}
date {
match => ["[action_end_time]", "yyyy-MM-dd-HH:mm:ss"]
target => "[action_end_timed]"
}
ruby {
code => "event['action_duration'] = (event['action_end_timed'] - event['action_start_timed'])"
}
Logstash acts on one event at a time so you will never have one event with both action_start_time and action_end_time. Perhaps the aggregate filter can help in this case.
So , how can i count about user log in times like this?
|2017-09-28-09:49:18|INFO|JupyterHub|User logged in: user1|
|2017-09-28-09:49:24|INFO|JupyterHub|User logged out: user1|
|2017-09-28-09:49:42|INFO|JupyterHub|User logged in: user2|
|2017-09-28-09:49:55|INFO|JupyterHub|User logged out: user2|
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.