How to add timestamp to aggregate filter

krishna_bhargav · October 24, 2019, 5:30pm

filter contents below, timeevent should display current timestamp

aggregate {

		task_id => "%{ENVIRONMENT_ID}_%{SPN_FIRM_ID}_%{ENTITY_TYPE}_%{ENTITY_ID}"
		code => '
			map["keyInformation"] ||= {}
			map["keyInformation"]["environmentId"]  = event.get("ENVIRONMENT_ID")
			map["keyInformation"]["entityId"] = event.get("ENTITY_ID")
			map["keyInformation"]["entityType"] = event.get("ENTITY_TYPE")
			map["keyInformation"]["firmId"] = event.get("SPN_FIRM_ID")
			
		
			map["associatedSleeves"] ||= [] 
			map["associatedSleeves"] << { 
			 "sleeveId" => event.get("SLV_ID") ,
			 "type" => event.get("SUB_MODEL_ID") ,
			 "nickname" => event.get("OWNER_ID") ,
			 "timeevent" => "%{@timestamp}" 
			}			
			event.cancel
		'
		push_map_as_event_on_timeout => true
		timeout => 2
    }

current output:

      "associatedSleeves" : [
        {
          "nickname" : "1",
          "type" : "1",
          "timeevent" : "%{@timestamp}",
          "sleeveId" : "146180"
        },
        {
          "nickname" : "2",
          "type" : "1",
          "timeevent" : "%{@timestamp}",
          "sleeveId" : "146181"
        }
      ],
      "keyInformation" : {
        "entityId" : "363147",
        "environmentId" : "QA_FDX",
        "firmId" : "101",
        "entityType" : "AC",
        "lastUpdated" : "2019-10-24T17:22:47.087Z"
      }

Badger · October 24, 2019, 5:44pm

Use event.get just as you did for the other fields.

krishna_bhargav · October 24, 2019, 6:02pm

@Badger Perfect it works ..Thanks

system · November 21, 2019, 6:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.