Convert text field to date

Hello,
I need convert a field in text format into date, i need to have another date field besides @timestamp, the @timestamp field identifies the arrival time of the log, instead the dataRisposta field (in case of response) identifies the time in which the log was generated, I need it to do find the difference between the time of request (other similar field in other log) and response.
I have this filter

filter {
  grok {
    match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}........"" }
  }
  mutate {
    rename => { "timestamp" => "dataRisposta" }
  }
}

And have this result

as you can see the dataRisposta field corresponds to the time of the original event, instead the @timestamp is the arrival time of the log on elasticsearch.
Is it possible to convert dataRisposta field to date format?

Thanks

You would use a date filter. To calculate the difference I would use a ruby filter....

input { generator { count => 1 lines => [ '2022-11-28 09:00:00.123 2022-11-28 09:10:01.000' ] } }

output { stdout { codec => rubydebug { metadata => false } } }
filter {
    grok { match => { "message" => "%{TIMESTAMP_ISO8601:t1} %{TIMESTAMP_ISO8601:t2}" } }
    date { match => [ "t1", "ISO8601" ] target => "t1" }
    date { match => [ "t2", "ISO8601" ] target => "t2" }
    ruby {
        code => '
            t1 = event.get("t1")
            t2 = event.get("t2")
            if t1 and t2
                event.set("delta", t2.to_f - t1.to_f)
            end
        '
    }

which produces

     "delta" => 600.8770000934601,

I have t1 and t2 in two different logs, because I have request e reponse in two different event

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.