Event timeout: Not able to get information fields from start event

[Tigzy]

Hello :)

Considering the following configuration:

filter {
  grok {
    match => ["message", "STARTING TASK: (?<task_id>.*)"]
    add_tag => [ "TaskStarted" ]
  }
  grok {
    match => ["message", "ENDING TASK: (?<task_id>.*)"]
    add_tag => [ "TaskTerminated"]
  }
  elapsed {
    start_tag => "TaskStarted"
    end_tag => "TaskTerminated"
    unique_id_field => "task_id"
  }
}

When we send the following event:

{
  "message":"STARTING TASK: some_id",
  "foo":"bar
}

and we get a timeout, a timeout event is generated like that:

{
  "tags":"elapsed",
  "task_id": "some_id"
}

but we cannot access the field named "foo" to restore its value in that timeout event. This is very useful because except the task_id, we don't have any way to retrieve which event failed.
Could be good to retrieve those fields with the add_field syntax, like:

elapsed {
    timeout_add_field => { 
      "foo" => "%{foo}"
    }
  }

Alternatively, we could chose which fields to restore from the start event, or just restore them all...

[jsvd]

A simple way of implementing this would be through a :include_start_event_on_timeout => true (false by default), that adds a metadata field like
timeout_event["[@metadata][start_event]"] = start_event.to_hash