Hello, I'm new to Elasticsearch
I'm working with log files comming from filebeat and Filebeat and I'm trying to add a field "response_time", and then affect the difference between timestamp to It.
So I create a logstash's filter but When I run it on Grok Debugger, this is an exemple of the Filter I'm using.
filter {
aggregate {
add_field => {
"response_time" => "timestamp2-timestamp1"
}
json {
match => [ "message", "%{LOGLEVEL:loglevel},%{DATESTAMP_RFC2822:timestamp},%{NOTSPACE:event_type},%{NUMBER :capture_res_id},%{NUMBER :capture_pid},%{NUMBER :mti},%{NUMBER :node_id}
,%{UUID:msg_uuid},%{NOTSPACE:module},%{NUMBER :respCode}]
}
if [event_type] == "request_inc" {
aggregate {
msg_uuid => "%{UUID}"
timestamp1 => event.get('DATESTAMP_RFC2822')
code => "map['response_time'] = 0"
map_action => "create"
}
}
if [event_type] == "response_outg" {
aggregate {
msg_uuid => "%{UUID}"
event_type => event.set('event_type')
timestamp2 => "%{DATESTAMP_RFC2822}"
code => "map['response_time']"
map_action => "update"
end_of_task => true
timeout =>120
}
}
}
And this is an exemple of my log file:
{"log_level":"INFO","timestamp":"2021-12-15T16:06:24.400087Z","event_type":"s_tart","ca_id":"11","c_pid":"114","mti":"00","node_id":"00","msg_uuid":"1234","module":"cmde"}
{"log_level":"INFO","timestamp":"2021-12-15T16:06:31.993057Z","event_type":"e_nd","mti":"00","node_id":"00","msg_uuid":"1234","module":"PWC-cmde","respCode":"1"}