Calculation in mutate field

Elastic Stack Logstash
1

I have filed TIME field and I would like to convert HHmmss to only Seconds.

e.g.
"duration": [
[
"0:00:00"
]
],
"HOUR": [
[
"0"
]
],
"MINUTE": [
[
"00"
]
],
"SECOND": [
[
"00"
]
]

I would like to have a new field in which I can convert the duration to only Seconds with the formula (like [HOUR6060 + MINUTE*60 + SECOND] )

I tried
grok {
match => ["eventDescription", "%{SPACE}:%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{SPACE}%{TIME:duration}"]
}
#mutate { add_field => {"xfbTransferDuration" => [HOUR6060 + MINUTE*60 + SECOND] }}

But this does not work.

What is the possible to way to get the TIME in Seconds.

Input String: : CFTU20I Session active for 0:00:00
Grok: %{SPACE}:%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}%{SPACE}%{TIME:duration}

2

I think the solition for what you want to do is the ruby filter, but I don't have much experience in using it.

I find that the mutate filter is limited and every solution about "caculations' say to go to the ruby.

3

Hi,
Source : https://groups.google.com/forum/#!topic/logstash-users/iEYRv7bCqdM

I have searched the google groups of logstash and found a post asking almost the same kind of functionality. The proposed solution is as below

filter {    
     if [sendout_count] and [transport_time] {
        ruby {            
              code => "event['per_sendout_transport_time'] = event['transport_time'] / event['sendout_count']"      
           }    
      }
}

In your example, i think , you can approach this as follows

filter {    
         if [HOUR] and [MINUTE] and [SECOND] {
            ruby {            
                  code => "event['timeInSeconds'] = event['HOUR']*3600+event['MINUTE']*60+event['SECOND']"      
               }    
          }
    }

That way, you can get a field named > timeInSeconds. Hope this helps

2 Likes