Calculating time difference between events

Question

I have Logon & Logoff events coming from winlogbeat. I looking for a way to match the LogonID field between those events, and than calculate the timestamp time difference. Could this be achieved without using logstash filters?

For example: how can I combine this 3 queries and return the timestamp as well? than maybe I can calculate the difference.

GET /winlogbeat-7.14.0-2022.02.03-000001/_search
{
  "query": {
    "match_all": {}
  },
 "aggs": {
    "bulks": {
  "terms": {
    "field": "winlog.event_data.TargetLogonId",
    "size": 10
  },
  "aggs": {
    "orders": {
      "top_hits": {
        "size": 10
          }
        }
      }
    }
  }
}
 GET /winlogbeat-7.14.0-2022.02.03-000001/_search
{
   "query":{
      "match" : {
         "winlog.event_id":"4624"
      }
   }
}
GET /winlogbeat-7.14.0-2022.02.03-000001/_search
{
   "query":{
      "match" : {
         "winlog.event_id":"4634"
      }
   }
}

Does this answer your question? [how to create query which can calculate time difference?](https://stackoverflow.com/questions/21902423/how-to-create-query-which-can-calculate-time-difference) — Sagar Patel, Feb 07 '22 at 09:34
Please check my answer and marked as solution if it really helps you!!! — Sagar Patel, Mar 08 '22 at 09:58

score 2 · Answer 1 · edited Feb 07 '22 at 16:59

2

I will suggest to check this POST which have all the example like using query, using script_field, using scripted_metric aggregation, elapsed logstash filter etc.

Below is exmaple using scripted_metric:

{
  "size": 0,
  "aggs": {
    "d_ids": {
      "terms": {
        "field": "name.keyword",
        "size": 10
      },
      "aggs": {
        "duration": {
          "scripted_metric": {
            "map_script": "if (doc.type.value == \"stop\") { params._agg.end = doc.eventTime.value; } else { params._agg.start = doc.eventTime.value; }",
            "reduce_script": "long start = 0; long end = 0; for(h in params._aggs) { if(h.start != null) { start = h.start; } if (h.end != null) { end = h.end; } } return (end - start);"
          }
        }
      }
    }
  }
}

edited Feb 07 '22 at 16:59

Paulo

8,690
5
20
34

answered Feb 07 '22 at 09:37

Sagar Patel

4,993
1
8
19

Hi, Thanks for the replay. This post is not useful because in my scenario, the events don't have start & stop times. I need to match a common value(Id) before the time difference calculation. – Rusty cole Feb 07 '22 at 10:51
1

@Rustycole did you check post properly? you have 2 event with LogonId as common right and both field have timestamp field then how you can not use scripted_metric? because you can applied aggregation LogonId which will aggregate your login and logout even as both have same LogonId and then you can applied scripted metric on that. is this not helpful to you ? – Sagar Patel Feb 07 '22 at 13:03
@Rustycole is this answer help you ? please mark as solution if it is helped. – Sagar Patel Mar 02 '22 at 13:49

Calculating time difference between events

1 Answers1