HI ,
How can we grok duration field for following piece of message:
"Duration: 0h:00m:16s, Bytes xmt: 76895, Bytes rcv: 81897, Reason: User Requested"
What do you want to end up with?
i want to grok duration to a timestamp so that i can create queries based on duration ( i.e. highest online time of user ) or based on highest sum of TX & RX bytes of user.
If you test something like this
grok { match => { "message" => "Duration: %{NUMBER:hours}h:%{NUMBER:minutes}m:%{NUMBER:seconds}s, Bytes xmt: %{NUMBER:xmt}, Bytes rcv: %{NUMBER:rcv}, Reason: %{GREEDYDATA:reason}" } }
mutate { add_field => { "time" => "%{hours}:%{minutes}:%{seconds}" } }
date { match => [ "time", "H:mm:ss" ] target => "duration1" }
ruby { code => 'event.set("duration2", event.get("hours").to_i*3600 + event.get("minutes").to_i*60 + event.get("seconds").to_i)' }
mutate { remove_field => [ "hours", "minutes", "seconds" ] }
You will end up the datetime picking up default values for the year, etc. Which is probably not what you want. Converting it to a number of seconds might work better.
"message" => "Duration: 1h:10m:16s, Bytes xmt: 76895, Bytes rcv: 81897, Reason: User Requested",
"duration1" => 2018-01-01T06:10:16.000Z,
"duration2" => 4216,
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.