Multiple elapsed plugins for one event

[Aerylia]

Hi,

So I've been busy with timing the time difference between some events, and came across an instance where two tasks are stopped with the same event, however, when calling the elapsed plugin twice, only the first is recorded. What should I do to make elapsed record both?

Example cofig:
filter {
grok {
match => ["message", "STARTING TASK1: (?.)"]
add_tag => [ "Task1Started" ]
}
grok {
match => ["message", "STARTING TASK2: (?.)"]
add_tag => [ "Task2Started" ]
}
grok {
match => ["message", "ENDING TASK: (?.)"]
add_tag => [ "Task1Terminated", "Task2Terminated"]
}
elapsed {
start_tag => "Task1Started"
end_tag => "Task1Terminated"
unique_id_field => "task_id"
}
elapsed {
start_tag => "Task2Started"
end_tag => "Task2Terminated"
unique_id_field => "task_id"
}
}

Thanks for any help on this issue!

[varunsharma27]

why not Make it like this :-

if [task] =~ "firstTask Started" {
	mutate {
	    add_field => { "uniqueID" => "%{task_id}-firstTask" }
	    add_tag => [ "START" ]
	}
} else {
	if [task] =~ "secondTask Started" {
		mutate {
		    add_field => { "uniqueID" => "%{task_id}-secondTask" }
		    add_tag => [ "START" ]
		}
	} 
elapsed {
start_tag => "START"
end_tag => "End"
unique_id_field => "uniqueID"
}

In this case, you can use same call to elapsed plugin for all the tasks and there wont be any mismatch as you'll append task name to their IDs

[aeva-assured]

I believe the issue you are having is the "elapsed_time" field gets overwritten with the second event. I had this same issue. To correct, insert an if statement after the first elapsed that checks if "elapsed_time" exists, if it does, use mutate to assign that value to a different field and then remove the elapsed time field. Then the second elapsed use case will be written.

I typically do that for all instances of elapsed so that I free the field for other use cases, especially if my filter file is being used alongside someone elses and I don't know what they have it in .