Conditional for @timestamp

elvarb · January 2, 2017, 10:35am

Is it possible to create a conditional for the @timestamp field, so for example if I get a message with a timestamp older than 1h then do something?

magnusbaeck · January 2, 2017, 11:08am

It's possible, but Logstash's configuration language doesn't support date math so you'll have to do that in a ruby filter. The filter could set a tag that a standard conditional acts upon.

elvarb · January 2, 2017, 11:37am

Thats exactly what I did, the power of Ruby and the simplicity of Epoch timestamps is a wonderful thing

ruby {
  code => "event['EventTimeDrift'] = (Time.now.to_f * 1000).to_i - event['EventTime'].to_i"
}

system · January 30, 2017, 11:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is @timestamp get value automatically from field timestamp? Logstash	5	273	November 7, 2023
Logstash conditional check if filed exist then replace timestamp value with another fileds timestamp Logstash	3	432	January 31, 2023
Unable to replace @timestamp with some other field in logstash Logstash	6	2312	September 19, 2017
Date filter does not work Logstash	4	360	May 1, 2021
Identify lines older than X days Logstash	12	3804	July 6, 2017

Conditional for @timestamp

Related topics