How do I subtract two timestamps in VisualBuilder

In my JSON I have two fields of type date: @timestamp and ls-timestamp

Let's say that i have the following in my JSON document in ES:

@timestamp in Kibana Discover mode prints this string: March 22nd 2018, 21:54:08.794
ls-timestamp in Kibana Discover mode prints this string: March 22nd 2018, 21:54:08.886

My goal is to compute a lag from when the application generated the log line (converted to @timestamp) and when LogStash actually processed the log-line (ls-timestamp).

A subtraction given the data above would give me 992 milliseconds or .992 seconds.

I tried to do a calculation, but you have to have agg to calculate on.
Then I tried to get a series with max of @timestamp, but date is not a number type -- so no max.
And even if I could use max on @timestamp, calculation would also requires @timestamp to be number AFAICT.

Any pointers are much appreciated.

Hi @iamthealex,

I'm thinking you can make a scripted field to convert the date to a number, then use that in the Visual Builder.

See this post for more information [scripted field] convert String date to timestamp

This for responding Chris, but converting date to number is exactly what I need and don't know how to do.
I looked at the link you posted, and it talks about converting string to Date, but I don't see how to convert date to number.

Hi,

https://www.elastic.co/guide/en/elasticsearch/reference/5.0/modules-scripting-expression.html#_date_field_api lists doc['field_name'].date.secondOfDay as something you can do. You can convert both to that measurement and compare.

Okay, I guess I can do that and if I get a negative number ( because the first timestamp is end of day N and second is beginning of day N+1), then I can "fix it".

doc['field_name'].date.epochMillis would be a lot easier though.

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.