Convert Timestamp in Elasticsearch Query Rule

jdwinns · February 15, 2022, 9:16pm

Hi folks,

I am new to the ELK stack and have a question in regards to an Elastic query rule and e-mail alert that I've created.

Currently, I am including the log @timestamp field in the e-mail alert using this variable:
{{context.hits.0._source.@timestamp}}

The @timestamp field in the alert is coming through in UTC and I need it formatted in EST. Is there any way to modify/convert the timestamp at the query level and output the results to an alert?

Here is the Elasticsearch query that I'm currently using:

{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_phrase": {
            "message": "Caused by: java.net.ConnectException"
          }
        },
        {
          "match_phrase": {
            "path": "C:\\Path\\To\\Error.log"
          }
        },
        {
          "match_phrase": {
            "level": "ERROR"
          }
        }
        ]
    }
  }
}

Patrick_Mueller · February 15, 2022, 9:37pm

Not currently, but we have an issue open to allow this sort of thing, with time formatting being one of the use cases. https://github.com/elastic/kibana/issues/84217

Feel free to comment there how well this would work for your use case, so you can follow along when we start working on an implementation.

There's also a proof-of-concept PR where we're playing with some of this, to show you some examples of how this would actually work: [actions] add mustache lambdas for use in action templates by pmuellr · Pull Request #107612 · elastic/kibana · GitHub

jdwinns · February 16, 2022, 4:18pm

Thank you @Patrick_Mueller, this is awesome! I just subscribed to the Git thread you shared and will definitely follow the development progress.