"Calculated" date field and Timezone problem

Elastic Stack Logstash
1

Hi all,

I'm parsing some phone call logs that have a start timestamp and a duration. And I need to calculate the timestamp where the call ends. That is Start_timestamp + duration.

The date in the original log is in this format yyyyMMddHHmmss (20171005072911) and I'm able to convert it to date using the date plugin and set the localtimezone with success

date {
        match => [ "ts", "yyyyMMddHHmmss" ]
        timezone => "Europe/Madrid"
        remove_field => [ "ts" ]
}

For the example abovem I get @timestamp:October 5th 2017, 07:29:11.000 which is correct.

In order to calculate the timestamp for the STOP I use the ruby plugin

  if [duration]{
                ruby {
                        code =>"event.set('ts_stop',(event.get('@timestamp')+event.get('duration')))"
                }
        }

The result is correct but I'm not able to get the new field with the local tz but UTC

ts_stop:2017-10-05T05:29:11.000Z

There is any way to obtain the ts_stop with my local timezone?

Thannk you very much
Regards
Ana

2

I found a solution, probably not the best but it works.

.....
        date {
                match => [ "ts", "yyyyMMddHHmmss" ]
                timezone => "Europe/Andorra"
                remove_field => [ "ts" ]
        }
        mutate {
                convert => { "duration" => "integer" }
        }
        if [duration]{
                ruby {
                        code => "event.set('ts_temp',event.get('@timestamp')+event.get('duration'))"
                }
                ruby {
                        code => "event.set('ts_stop',event.get('ts_temp').time.localtime.strftime('%d/%b/%Y:%H:%M:%S CST'))"
                        remove_field => [ "ts_temp" ]
                }

        }


....

So first I compute the stop timestamp and then I set the CST timezone.

If there is any suggestion about how to improve this It would be appreciated
Regards
Anna

3

Not really solved, the new field "ts_stop" it is not date type

 "ts_stop": {
    "type": "text",
    "fields": {
      "keyword": {
        "type": "keyword",
        "ignore_above": 256
      }
    }
  },
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.