Weird Behaviour of Elapsed Filter Plugin

Elastic Stack Logstash
1

I am using elapsed filter plugin for calculating time difference between multiple start/end events for a particular id.

if [StepName] == "Step1" and [StepStatus] == "start" {
    mutate { add_tag => "Step1_start" }
} else if [StepName] == "Step2" and [StepStatus] == "start" {
    mutate { add_tag => "Step2_start" }
} else if [StepName] == "Step2" and [StepStatus] == "end" {
    mutate { add_tag => "Step2_end" }
} else if [StepName] == "Step3" and [StepStatus] == "start" {
    mutate { add_tag => "Step3_start" }
} else if [StepName] == "Step3" and [StepStatus] == "end" {
    mutate { add_tag => "Step3_end" }
} 

elapsed{
   start_tag => "Step1_start"
   end_tag => "Step1_end"
   unique_id_field => "FrtId"
   new_event_on_match => false
   timeout => 1800
}
elapsed{
   start_tag => "Step2_start"
   end_tag => "Step2_end"
   unique_id_field => "FudtId"
   new_event_on_match => false
   timeout => 1800
 }
elapsed{
   start_tag => "Step3_start"
   end_tag => "Step3_end"
   unique_id_field => "FudtId"
   new_event_on_match => false
   timeout => 1800
 }

The problem I am facing is, In-spite of the data being absolutely correct. For many documents I am getting "elapsed_end_without_start" tag. However for the same document I am having the start tag already present before in the file from which I am loading it.

Any help will be appreciated.

2

@magnusbaeck Can you help me with this situation.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.