How to modify a single value from timestamp

Hi all,
I'm trying to find out a way to substitute a single value from @timestamp, from another one, for instance, the hour.

So far I know you can get the timestamp separated values using %{+HH}, but I can't find a way to do something like:
mutate { replate => { '+HH' => '%{fake_hour_value}' } }

Can you guys help me? I just need to substitute the '@timestamp' hour for another value. This also raises the following question, would it be necessary to use the date filter plugin after, or would Elasticsearch be able to process the new @timestamp as such?

Thanks in advance.

I forgot to mention I have a way of doing this already, but is far from what I consider ideal:

 mutate {
        add_field => { "ts_minute" => "%{+mm}" }
        add_field => { "ts_second" => "%{+ss}" }
        add_field => { "ts_millisecond" => "%{+SSS}" }
        add_field => { "ts_year" => "%{+yyyy}" }
        add_field => { "ts_month" => "%{+MM}" }
        add_field => { "ts_day" => "%{+dd}" }
    }
    mutate { add_field => { "timestamp2" => "%{ts_year}-%{ts_month}-%{ts_day}T%{ingested_hour}:%{ts_minute}:%{ts_second}.%{ts_millisecond}Z" } }
    date {
        timezone => "UTC"
        match => [
            "timestamp2",
            "ISO8601"
        ]
    }

The ingested_hour is obtained previously, in case you are wondering. This does work for me, but I would like to know if there's a more sophisticated approach.

Thanks.

You could use mutate+gsub. Something like

mutate { add_field => { "timestamp2" => "%{@timestamp}" } }
mutate { convert => { "timestamp2" => "string" } }
mutate { gsub => [ "timestamp2", "(\d(4)-\d{2}-\d{2}T)\d{2}(:\d(2):\d{2}.\d{3}Z)", "\1%{ingested_hour}\2" ] }

Not sure if that counts as more sophisticated though.

Thanks, that works as sophisticated for me since I can't do regex It works perfectly, thank you!!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.