Please see below
#Extract Business date from file
grok {
match => ["file", "%{WORD}.%{WORD:BusinessDate}.%{GREEDYDATA:FileLastPart}"]
}
if "_grokparsefailure" in [tags] {
mutate {
remove_tag => ["_grokparsefailure"]
}
}
#Parse Business date
grok {
match => ["BusinessDate", "%{YEAR:year}%{MONTHNUM:month}%{MONTHDAY:day}"]
}
if "_grokparsefailure" in [tags] {
mutate {
remove_tag => ["_grokparsefailure"]
}
}
# Set Timestamp
mutate {
add_field => {
ExpectedTime => "03:00:00.000"
}
}
mutate {
add_field => {
BusinesDateTime => "%{year}-%{month}-%{day} %{ExpectedTime}"
}
}
#Not required ExptectedTime in output
mutate {
remove_field => [ExpectedTime]
}
#Convert to Date
date
{
match => ["BusinesDateTime", "YYYY-MM-DD HH:mm:ss.SSS"]
target => "BusinesDateTime"
}
#Adding one day to BusinessDateTime
ruby {
code => 'event.set("BusinesDateTimeConverted", LogStash::Timestamp.new(Time.at(event.get("BusinesDateTime").to_f+86400)))'
}
#Remove Milliseconds
mutate {
gsub => ["LogEventTimeStamp", "\.\d{3}$", ""]
}
#Setting up Log timestamp to LogEventTimeStamp for the given formats.
date
{
match => ["BusinesDateTimeConverted", "yyyy-MM-dd HH:mm:ss", "MMM dd, yyyy HH:mm:ss", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss.SSS"]
target => "BusinesDateTimeConverted"
}
#Setting up Log timestamp to LogEventTimeStamp for the given formats.
date
{
match => ["LogEventTimeStamp", "yyyy-MM-dd HH:mm:ss", "MMM dd, yyyy HH:mm:ss", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss.SSS"]
target => "LogEventTimeStamp"
}
#Date comparision
date
{
if "LogEventTimeStamp >= "BusinesDateTimeConverted" {
mutate {
add_field => {
"LateFileStatus" => "LateArrival"
}
}
} else {
mutate {
add_field => {
"LateFileStatus" => "On-Time"
}
}
}
}
#End of Date Comparision