Is there a way how to get diff of two dates in EQL? I checked the EQL functions docs, but neither subtract() nor number() seem to work on datetime fields. I know I can probably achieve what I need with ingest pipeline or maybe runtime field, but it seems like a strange omission from EQL functions.
Hi and thanks for posting.
Unfortunately EQL does not support date functions. You can define a runtime mapping in your EQL query to do the calculation.
GET /logs-*/_eql/search?filter_path=-hits.events._source
{
"runtime_mappings": {
"ms_between_ingest_and_timestamp": {
"type": "long",
"script": {
"source": """
long timestamp_millis = doc['@timestamp'].value.getMillis();
long ingested_millis = doc['event.ingested'].value.getMillis();
emit(ingested_millis - timestamp_millis);
"""
}
}
},
"filter": {
"bool": {
"must": [
{
"exists": {
"field": "@timestamp"
}
},
{
"exists": {
"field": "event.ingested"
}
}
]
}
},
"query": """
any where ms_between_ingest_and_timestamp > 1000
""",
"fields": [
"@timestamp",
"event.ingested",
"ms_between_ingest_and_timestamp"
]
}
In the above example I subtract event.ingested from the @timestamp. The resulting time interval is in milliseconds. I use filter to ensure that this only runs on documents that have both event.ingested and @timestamp. Lastly, I use the runtime field, ms_between_ingest_and_timestamp in the EQL query.
Sorry for the inconvenience.
Best regards,
Robert
2 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.