Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Using Elapsed filter if I add a field using add_field, I am not able to view the data in kibana. Its coming %{usrname}

Using Elapsed filter if I add a field using add_field, I am not able to view the data in kibana. Its coming %{usrname}

My requirement is to find the time elapsed between two jobs and display it.

Log:

2018-09-27 09:27:18,615 71e02f2f-32d5-9509-870a-f80e54dc8775 George Started
2018-09-27 09:29:14,615 71e02f2f-32d5-9509-870a-f80e54dc8775 George Complete

filter {
  grok {
    match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{UUID:messageId} %{USERNAME:usr} %{WORD:event}"]
    add_tag => [ "%{event}" ]
  }
  date {
    match => [ "timestamp", "ISO8601"]
  }
  
  # Measures the execution time of system1
  elapsed {
    unique_id_field => "messageId"
    start_tag => "Started"
    end_tag => "Complete"
    new_event_on_match => true
    add_tag => ["%{messageId}"]
    add_field => { "User" => "%{usr}"}
  }
  
  # Records the execution time of system1
  if "%{messageId}" in [tags] {
    aggregate {
      task_id => "%{messageId}"
      code => "map['report'] = [(event['elapsed_time']*1000).to_i]"
      map_action => "create"
      add_field => { "User" => "%{usr}"}
    }
  }
 
 
}
Don't have an account?
Coming from Hortonworks? Activate your account here