elapsed + aggregate passing custom fields in Logstash -

i using elapsed plugin calculate time , aggregate plugin display it. added custom fields elapsed filter can see below:

 add_field => {        "status" => "status"         "user" => "%{byuser}"     } 

one static other 1 dynamic coming event. on output of logstash display static values not dynamic one..

it displays %{byuser} dynamic one. task id , status fields works fine , got right values.

any idea why?

little bit more code

elapsed {     unique_id_field => "assetid"     start_tag => "tag1:tag2"     end_tag => "tag3:tag4"     add_field => {        "wasinstatus" => "tag3"        "user" => "%{byuser}"     }     add_tag => ["customtag"]   } 

grok input:

 grok {         match => [             "message", "%{timestamp_iso8601:timestamp} %{number:assetid} %{word:event}:%{word:event1} user:%{username:byuser}"]   if "customtag" in [tags] , "elapsed" in [tags] {     aggregate {       task_id => "%{assetid}"        code => "event.to_hash.merge!(map)"         map_action => "create_or_update"     }   } 

problem connected with: elapsed filter:

new_event_on_match => true/false 

change new_event_on_match false true in pipeline fixed issue.but still wonder why.