Has anyone needed to handle a custom duration field from servers showing running time?
I am just starting out and trying to get a handle on the best way to handle it without creating a grok mutate mess to convert to seconds or similar.
I have created a custom grok pattern to extract it nicely in the above string format so the next step is to handle the days field as the odd one out.
Am I missing something as easy as a custom mapping to create my own duration field for kibana?
I don't think there is a nice way to go around it. ElasticSearch does not support custom data type.
Eventually, converting it to seconds would be the most convenient and hassle-free for you in the long run.
For what it's worth, here's how you can avoid lengthy groks.
Suppose you have a duration field with a value of "10:12:50:50", the code below would replace it with the equivalent in seconds.
filter {
ruby {
code => "
d, h, m, s = event.get('duration').split(':').map{|str| str.to_i}
event.set('duration', d*86400 + h*3600 + m*60 + s)
"
}
}
I will give that a try as I have the field coming in from many docs so I am trying to be simple and clean to run everything through the one filter where possible.
Thanks for the quick response, my productivity today will likely go up!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
