I have a field that displays connection duration as a string that looks like 3h:49m:57s. Any ideas on how to convert this to an aggregateable format such as epoch time or something?
If you want to convert that to seconds you could do something like this (not tested):
grok { match => { "someField" => "%{INT:[@metadata][h]}h:%{INT:[@metadata][m]}:%{INT:[@metadata][s]}s" } }
ruby { code => 'event.set("duration", event.get("[@metadata][h]").to_i*3600 + event.get("[@metadata][m]").to_i*60 + event.get("[@metadata][s]"))' }
1 Like
Oh wow, that's more than I expected! I should really learn Ruby better, I never think about it much. Unfortunately, after adapting it to the correct fields, I get an error Ruby exception occurred: String can't be coerced into Integer
Got it...had to convert the seconds field to an integer.
ruby {
code => 'event.set("session_duration", event.get("[@metadata][h]").to_i*3600 + event.get("[@metadata][m]").to_i*60 + event.get("[@metadata][s]").to_i)'
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.