You could do it with aggregate using something like this.
mutate { add_field => { "static" => "1" } }
if [message] =~ /2015/ {
aggregate {
task_id => "%{static}"
code => "map['something'] = event.get('message')"
}
} else {
aggregate {
task_id => "%{static}"
code => "event.set('something', map['something'])"
}
}
Or you could do it using a ruby class variable. Use one of these in the first block and the other in the second.
ruby { code => '@@t = event.get("timestamp")' }
ruby { code => 'event.set("timestamp", @@t)' }