Multiple Elapsed

artobstrel · February 16, 2021, 5:13pm

I want to measure the duration of several events within a single transaction.
I use a elapsed filter for this.

My data and logstash config file is below:

data file

2021-02-16 16:00:00     016cbeb4    Input
2021-02-16 16:00:03     016cbeb4    Request
2021-02-16 16:00:08     016cbeb4    Response

logstash conf

input {
    file {
        path => "/etc/logstash/data/test.log"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        type => "elapsed_test"
    }
}

filter {
    dissect {
        mapping => {
            "message" => '%{ts} %{id}   %{operation}'
        }
    }

    date {
        match => ["ts", "yyyy-MM-dd HH:mm:ss"]
    }

    mutate {
        add_tag => "%{operation}"
    }

    elapsed {
        start_tag => "Input"
        end_tag => "Response"
        unique_id_field => "id"
        new_event_on_match => false
    }
}

output {
    elasticsearch {
        ...
    }
}

I get the duration between Input and Response (8 sec):

Please tell me how to additionally get the duration between Input and Request (3 sec)?

Badger · February 16, 2021, 5:30pm

Use a second elapsed filter.

artobstrel · February 17, 2021, 10:05am

I did it!
Thank you @Badger

Final Logstash conf file:

input {
    file {
        path => "/etc/logstash/conf.d/data/elapsed_test.log"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        type => "elapsed_test"
    }
}

filter {
    dissect {
        mapping => {
            "message" => '%{ts}	%{id}	%{operation}'
        }
    }

    date {
        match => ["ts", "yyyy-MM-dd HH:mm:ss"]
    }

    mutate { 
        add_tag => "%{operation}"
    } 


    elapsed {
        start_tag => "Input"
        end_tag => "Request"
        unique_id_field => "id"
    }

    if [operation] == "Request" {
        mutate {
            copy => { "elapsed_time" => "Input-Request" }
        }
    }

    elapsed {
        start_tag => "Input"
        end_tag => "Response"
        unique_id_field => "id"
    }

    if [operation] == "Response" {
        mutate {
            copy => { "elapsed_time" => "Input-Response" }
        }
    }

    elapsed {
        start_tag => "Request"
        end_tag => "Response"
        unique_id_field => "id"
    }

    if [operation] == "Response" {
        mutate {
            copy => { "elapsed_time" => "Request-Response" }
        }
    }
}

output {
    stdout {
        codec => rubydebug
    }

    elasticsearch {
        hosts => ["http://<host>:9200"]
        index => "%{type}"
    }
}

system · March 17, 2021, 10:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.