i would like to get the current timestamp from logstash, currently i'm using the following code to get the current time.
input {
stdin { codec => json }
# Supports "cron", "every", "at" and "in" schedules by rufus scheduler
schedule => { cron => "* * * * * UTC"}
}
filter {
ruby {
code => "event.set('updated_date', event.get('@timestamp'))"
}
}
output
{
elasticsearch
{
index => "test"
}
}
By current timestamp you mean the event processing time that is named @timestamp?
Your code does now the following:
{
"updated_date" => 2019-05-17T14:23:37.396Z,
"@version" => "1",
"message" => "helloworld",
"@timestamp" => 2019-05-17T14:23:37.396Z,
"host" => "testnode"
}
You can also do it:
filter {
ruby {
code => "event.set('updated_date', event.get('@timestamp'))"
}
mutate {
add_field => { "mutate_time" => "%{@timestamp}" }
}
}
{
"@version" => "1",
"@timestamp" => 2019-05-17T14:25:32.110Z,
"mutate_time" => "2019-05-17T14:25:32.110Z",
"updated_date" => 2019-05-17T14:25:32.110Z,
"host" => "testnode",
"message" => "mutate_time"
}
One possible way would be to create a field at the start of the filter section like this (I do something similar)
alter {
add_field => {
"[@metadata][now]" => "%{+YYYY.MM.dd.ss:SSS}"
}
}
Format it however you want. This can be added to any log message or used as the source to overwrite other fields...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.