Want to check connection duration

hi all,
I have configured Elasticsearch, kibana and logstash on a server. Sending logs from different filebeat clients to logstash. I have logs in which connection esatablish and connection reset time present. My requirement is get to know connection duration. sample log is given below:-

Tue Oct  5 14:05:53 2021 TCP connection established with [AF_INET6]::ffff:192.168.10.1:55630
Tue Oct  5 23:40:51 2021 192.168.10.1:55630 Connection reset, restarting [0]

I have written grok filter like that,

%{DAY:day} %{SYSLOGTIMESTAMP:conn_est_time} %{YEAR:year} TCP connection established with \[AF_INET6\]::ffff:%{IP:server_IP}:%{NUMBER:port}
%{DAY:day} %{SYSLOGTIMESTAMP:conn_reset_time} %{YEAR:year} %{IP:server_IP}:%{NUMBER:port} Connection reset, restarting \[0\]

Now i want to get connection duration and visualize it on kibana. How to do that? Please guide me.

Use an aggregate filter. Your use case is similar to Example 1. You could try

    if [conn_est_time] {
        mutate { add_field => { "[@metadata][ts]" => "%{year} %{conn_est_time}" } }
        date { match => [ "[@metadata][ts]", "YYYY MMM  d HH:mm:ss", "YYYY MMM dd HH:mm:ss" ] }
        aggregate {
            task_id => "%{server_IP}:%{port}"
            code => 'map["start"] = event.get("@timestamp")'
            map_action => "create"
        }
    }
    if [conn_reset_time] {
        mutate { add_field => { "[@metadata][ts]" => "%{year} %{conn_reset_time}" } }
        date { match => [ "[@metadata][ts]", "YYYY MMM  d HH:mm:ss", "YYYY MMM dd HH:mm:ss" ] }
        aggregate {
            task_id => "%{server_IP}:%{port}"
            code => 'event.set("duration", event.get("@timestamp") - map["start"])'
            map_action => "update"
            end_of_task => true
        }
    }

which gets me

       "duration" => 34498.0,

hi @Badger , thanks for your reply.

Will it create "duration" index pattern?

An index pattern? No. When an event that contains a [duration] field is indexed an index mapping will automatically be created.

Yes, sorry. Its my fault. I have written index pattern in place of field.

hi @Badger
I have another query. Suppose after reset same port is assigned to another connection etablishement, then will I get separately duration for second connection on same port?

Yes, you will.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.