"Calculated" date field and Timezone problem

Anabella_Cristaldi · October 31, 2017, 9:00am

Hi all,

I'm parsing some phone call logs that have a start timestamp and a duration. And I need to calculate the timestamp where the call ends. That is Start_timestamp + duration.

The date in the original log is in this format yyyyMMddHHmmss (20171005072911) and I'm able to convert it to date using the date plugin and set the localtimezone with success

date {
        match => [ "ts", "yyyyMMddHHmmss" ]
        timezone => "Europe/Madrid"
        remove_field => [ "ts" ]
}

For the example abovem I get @timestamp:October 5th 2017, 07:29:11.000 which is correct.

In order to calculate the timestamp for the STOP I use the ruby plugin

  if [duration]{
                ruby {
                        code =>"event.set('ts_stop',(event.get('@timestamp')+event.get('duration')))"
                }
        }

The result is correct but I'm not able to get the new field with the local tz but UTC

ts_stop:2017-10-05T05:29:11.000Z

There is any way to obtain the ts_stop with my local timezone?

Thannk you very much
Regards
Ana

Anabella_Cristaldi · October 31, 2017, 1:21pm

I found a solution, probably not the best but it works.

.....
        date {
                match => [ "ts", "yyyyMMddHHmmss" ]
                timezone => "Europe/Andorra"
                remove_field => [ "ts" ]
        }
        mutate {
                convert => { "duration" => "integer" }
        }
        if [duration]{
                ruby {
                        code => "event.set('ts_temp',event.get('@timestamp')+event.get('duration'))"
                }
                ruby {
                        code => "event.set('ts_stop',event.get('ts_temp').time.localtime.strftime('%d/%b/%Y:%H:%M:%S CST'))"
                        remove_field => [ "ts_temp" ]
                }

        }


....

So first I compute the stop timestamp and then I set the CST timezone.

If there is any suggestion about how to improve this It would be appreciated
Regards
Anna

Anabella_Cristaldi · October 31, 2017, 3:04pm

Not really solved, the new field "ts_stop" it is not date type

 "ts_stop": {
    "type": "text",
    "fields": {
      "keyword": {
        "type": "keyword",
        "ignore_above": 256
      }
    }
  },

system · November 28, 2017, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.