B
B
B_bird2017-11-21 13:32:05
elasticsearch
B_bird, 2017-11-21 13:32:05

How to aggregate events by id?

Records (events) combined by trid (transaction id) get into elastic from the application logs:

{
  trid:  10005333969
  service: "test"
  message: "Request start"
},
{
  trid:  10005333969
  message: "Some inner log 1"
},
...
{
  trid:  10005333969
  message: "Some inner log N"
},
{
  trid:  10005333969
  duration: 0.123
  message: "Request end"
}

The first event has the name of the service (service), the last one has the duration of the request (duration). I do not understand how to build an aggregation of the average response time by service? Those. first you need to somehow join all the records by trid in order to get one line in which there will be service, duration and then group by service and avg (duration), but as it is in elastic - something does not work yet ...
PS I tried this can be done through logstash aggregation, but there were some difficulties in merging a bunch of lines and turning it into one event sent to elastic.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question