I have standard Windows IIS log files with event date/time stamp information and timetaken (in milliseconds).
I would like to be able to adjust the event time (@timestamp) by subtracting the "timetaken" to be able to record when the event started rather than when it was completed.
I've looked at using the ruby plug in but my ruby knowledge is zero.
This does not work the way I want it to?
ruby {
code => "event['@timestamp_adj'] = (event['@timestamp'].to_f - (event['timetaken'].to_f/1000)))"
}
Some sample date: (with redactions and mangles for sensitive data)
{
"@timestamp" => "2015-10-22T22:59:49.000Z",
"timestamp" => "2015-10-22 23:59:49",
"method" => "GET",
"page" => "/spacer.gif",
"response" => "200",
"timetaken" => "2120",
"@timestamp_adj" => 1445554789.0
}
In this (made up) case, the event time is 22:59:49.000 and took 2.120 seconds (2,120 milliseconds) to complete. What I want to have is @timestamp_adj to record 22:59:48.880
Either:
- How do I convert the now "numeric" timestamp back to a time string that Elasticsearch will recognise?
- or how to I do Date/time math without corrupting the date/time encoding?
Thanks in advance.