Search code examples
elasticsearchlogstashgroc

Logstash elapsed filter

I am trying to use the elapsed.rb filter in the ELK stack and cant seem to figure it out. I am not very familiar with grok and I believe that is where my issue lives. Can anyone help?

Example Log Files:

{
    "application_name": "Application.exe",
    "machine_name": "Machine1",
    "user_name": "testuser",
    "entry_date": "2015-03-12T18:12:23.5187552Z",
    "chef_environment_name": "chefenvironment1",
    "chef_logging_cookbook_version": "0.1.9",
    "logging_level": "INFO",
    "performance": {
        "process_name": "account_search",
        "process_id": "Machine1|1|635617555435187552",
        "event_type": "enter"
    },
    "thread_name": "1",
    "logger_name": "TestLogger",
    "@version": "1",
    "@timestamp": "2015-03-12T18:18:48.918Z",
    "type": "rabbit",
    "log_from": "rabbit"
}

{
    "application_name": "Application.exe",
    "machine_name": "Machine1",
    "user_name": "testuser",
    "entry_date": "2015-03-12T18:12:23.7527462Z",
    "chef_environment_name": "chefenvironment1",
    "chef_logging_cookbook_version": "0.1.9",
    "logging_level": "INFO",
    "performance": {
        "process_name": "account_search",
        "process_id": "Machine1|1|635617555435187552",
        "event_type": "exit"
    },
    "thread_name": "1",
    "logger_name": "TestLogger",
    "@version": "1",
    "@timestamp": "2015-03-12T18:18:48.920Z",
    "type": "rabbit",
    "log_from": "rabbit"
}

Example .conf file

input {
  rabbitmq {
    host => "SERVERNAME"
    add_field => ["log_from", "rabbit"]
    type => "rabbit"
    user => "testuser"
    password => "testuser"
    durable => "true"
    exchange => "Logging"
    queue => "testqueue"
    codec => "json"
    exclusive => "false"
    passive => "true"
  }
}


filter {

   grok {
     match => ["message", "%{TIMESTAMP_ISO8601} START id: (?<process_id>.*)"]
     add_tag => [ "taskStarted" ]
   }

   grok {
     match => ["message", "%{TIMESTAMP_ISO8601} END id: (?<process_id>.*)"]
     add_tag => [ "taskTerminated"]
   }

   elapsed {
    start_tag => "taskStarted"
    end_tag => "taskTerminated"
    unique_id_field => "process_id"
    timeout => 10000
    new_event_on_match => false
  }
}

output {
  file {
    codec => json { charset => "UTF-8" }
    path => "test.log"
  }
}
Solution

  • You would not need to use a grok filter because your input is already in json format. You'd need to do something like this:

    if [performance][event_type] == "enter" {
  mutate { add_tag => ["taskStarted"] }
} else if [performance][event_type] == "exit" {
  mutate { add_tag => ["taskTerminated"] }
}
elapsed {
  start_tag => "taskStarted"
  end_tag => "taskTerminated"
  unique_id_field => "performance.process_id"
  timeout => 10000
  new_event_on_match => false
}

    I'm not positive on that unique_id_field -- I think it should work, but if it doesn't you could just change it to process_id only and add_field => { "process_id" => "%{[performance][process_id]}" }