Add field if based on another timestamps-field value

I've been trying to add a field describing the status of the current rpm.
Basically I've been using execbeats to execute a command which returns all the currently installed rpms.
Now we have an internal tool which basically builds all rpms daily. So we can assume, if an RPM is older than last day 19:00, it is out of date.

Currently I'm already extracting the timestamp as a seperate STRING field.
It has the format of YYMMddHH ... so 21101819 as an example. Now the idea would be to do something like

      [rpmtimestamp] >= "%{+YYMMdd}-{1 day}19"

Now I think there are 2 issues with this, first >= is probably not supported for strings as I get some huge error. Secondly, I don't know how I would implement (-1 day). Since you also have to consider end of month and such. (well technically I don't think you need to, if string comparison actually worked) I have seen a few suggestions with ruby, but I don't think it looks that readable so I was trying to get it to work like this. Is it possible? (Possibly with Int / string conversions)

I found this regarding this problem: Add index pattern / date math support to the index => setting · Issue #49 · logstash-plugins/logstash-input-elasticsearch · GitHub

Unfortunately this doesn't seem to be supported outside of index names.
As I still get something like this in my debugging: out of date - <{now/d-1d{YYMMdd}}>19

No, logstash does not include date maths. But you can use a ruby filter

    mutate { add_field => { "rpmtimestamp" => "21101813" } }
    date { match => [ "rpmtimestamp", "YYMMddHH" ] target => "[@metadata][rpmtimestamp]" }
    ruby { code => 'event.set("rpmstatus", DateTime.now.strftime("%s").to_i - event.get("[@metadata][rpmtimestamp]").to_i > 86400 ? "old" : "new")' }

That is not very readable, and includes no error handling, so you will need to rewrite it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.