Using aggregate filter to measure response time

Hi ,
i have been attempting to create an additional field into my logging which keeps the responsetime of tsa requests to a service .

after looking though some stuff i found that it looked like it would be possible with an aggregate filter in logstash so i tried to implement it but i keep getting errors about the formatting of the filter clause

below is the filter part of the pipeline im creating

the idea behind it is to subtract the 2 timestamps between the request received and request finnished logs
any help on this topic or any other way to achieve the result with elastic stack would be greatly appreciated

filter {
if [message] =~ "RECEIVED TSA REQUEST" {
aggregate {
task_id => "test"
code => "map['timestamp'] = %{@timestamp}
map_action => "create"
}
}
if [message] =~ "FINISHED TSA REQUEST" {
aggregate {
task_id => "test"
code => "event.set(map['timestamp'] - '@timestamp')"
map_action => "update"
end_of_task => true
timeout => 120
}
}
}

task_id has to be a sprintf reference, and you need to convert [@timestamp] to a numeric value

            task_id => "%{test}"
            code => "map['timestamp'] = event.get('@timestamp').to_f"

would work in the first aggregate. For the second one, event.set takes two arguments, so

code => "event.set('someField', map['timestamp'] - event.get('@timestamp').to_f)"

might work. I would definitely consider changing the to_f to to_f * 1000).to_i so that you are working with integer numbers of milliseconds.

thnx for the help , i have tried this now, it solved the errors popping up , but it still does not add any fields with the response time info

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.