I use elapsed filter to calculate events duration, but it has something wrong. The elapsed_time got negative number in my case.
config below:
Can someone help me?
Thanks.
Your start and end events coming in very quickly, 100ms from each other is that correct?
Thanks for your reply first. I got a search result for elpased_time between 0 to 1, like below pic.
Sometime elapsed get work when events between 100ms. But it maybe duration of events too fast to got this problem. And, I want to let it become normally to work correct. Hope for more discuss. Thanks.
Correct I think possibly the events are too fast
Have other solution?I want to use elapsed to do performance report.
I am unsure, perhaps raise a bug on github with the logstash team?
How many worker threads do you have configured for Logstash?
It has default setting, but I think it have 4 threads.
If I recall correctly, one of the major drawbacks with the elapsed and aggregate filters is that all related events have to pass through the same processing thread, thereby limiting Logstash to a single worker thread and instance. This naturally severely limits throughput and scales very badly. Try setting the number of worker threads to 1 to see if it resolves the accuracy issue.
A more scalable approach may be to have a periodic batch job that post-process events once they are in Elasticsearch, but although this is likely to scale better it does introduce a delay.
What does the underlying events that contributed to an incorrect elapsed time look like if you view them in Kibana?
Hello, who can tell me where is going wrong?