Compare Dates in Logstash Pipeline

I have created a data field during the pipeline and I am trying to find a way to compare that field to see if it is 30 days old or newer. I am not sure how to do about it however.

This is the code I have for creating the date field I am trying to query against.

</>

        date {
          match => [ "modified_creation_date", "yyyy-MM-dd" ]
          remove_field => [ "modified_creation_date" ]
          target => "creation_date"
        }

I have tried using an if statement and range along with now-30d/d however that does not appear to work. Does anyone have an idea as to what function I could use to compare the date field I have created? Do I need to create another date field with the date 30 days ago to compare against? Using if, range, something else?

Welcome @d-ring

I know you can compare two dates that are in the same format (eg ISO8601 ) like this:

if [date1] <= [date2] {
}

But as you say, that would require you to create another date field for 30 days ago.. In this post => Adding 1 day to the date

something similar is done with a ruby filter, please check that out and see if you can make it work.

Grtz

Willem

Does this help?

Thanks. This is what I needed to get moving the right direction

For those that might need it, I ended up doing it this way.

        date {
          match => [ "modified_creation_date", "yyyy-MM-dd" ]
          remove_field => [ "modified_creation_date" ]
          target => "creation_date"
        }
      }
      if [creation_date] == "" {
        mutate { remove_field => [ "creation_date" ] }
      }
       ruby {
        code => "event['temp_date'] = event['@timestamp']"
      }

       ruby {
         code => 'event.set("30d_ago", LogStash::Timestamp.new(Time.at(event.get("@timestamp").to_f-2592000)))'
      }

      if [30d_ago] < [creation_date] {
       mutate {
        add_tag => ["young_domain"]
       }
      }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.