Convert @timestamp to epoch

Elastic Stack Logstash
1

Hi,

I need to convert @timestamp to epoch and add this new field to the event.

So far I can only add a new field with the content of "@timestamp".

filter {
    mutate
    {
        add_field => ["epochtime", "%{@timestamp}"]
    }
}

I'm sure this will be an easy fix although I can't find anything to lead me to my answer.

Please assist.

Thank you,
Rivaan

2

you can use the ruby filter for this:

input { generator { count => 1 } }
filter {
  # for logstash 5.x
  ruby { code => "event.set('epoc', event.get('@timestamp').to_i)" }
  # for logstash 2.x
  # ruby { code => "event['epoc'] = event['@timestamp'].to_i" }
}
output { stdout { codec => rubydebug } }

{
          "epoc" => 1478082411,
      "sequence" => 0,
    "@timestamp" => 2016-11-02T10:26:51.303Z,
      "@version" => "1",
          "host" => "Joaos-MBP-5.lan",
       "message" => "Hello world!"
}
3 Likes
3

Hi @jsvd,

This works!! Thank you so much! :smile:

Is it possible to also convert this to my timezone?

Thank you so much! :slight_smile:
Rivaan

4

@jsvd,

I've figure out a method to push it into my timezone.

# ruby { code => "event['epoc'] = event['@timestamp'].to_i + 7200" }

Thank you for your help!

5

hi!!

do you can tell me how i can use this in this case?

1487596174.308 3 10.241.252.78 TCP_DENIED/407 1554 GET http://adrta.com/i? - NONE/- text/html
(access log of squid)
grok { match => [ "message", "%{NOTSPACE:fecha}\s+%{NUMBER:respuestaMS} %{IPV4:ip_user} %{WORD:estado}/%{NUMBER:codigo_http} %{NUMBER:respuestaKB} %{WORD:metodo} %{NOTSPACE:url} %{DATA:user} %{DATA:estado}/%{DATA:ip_srv} %{GREEDYDATA:tipo}" ] }

But I'm missing the date conversion epoch to @timestamp

I have all parsed but I'm missing the date conversion epoch to @timestamp