Hello,
I'm parsing some logs and I have a timestamp field (that goes in @timestamp) and a float field mapped in duration.
What I'm trying to do is to copy the @timestamp to another field, and then add the duration to the original @timestamp. I've tried this solution:
ruby {
code => 'event.set("times_created", event.get("@timestamp"))'
id => "copy_date"
}
ruby {
code => 'event.set("@timestamp", event.get("@timestamp") + event.get("duration"))'
id => "add_duration"
}
}
But it fail with the following error:
Ruby exception occurred: wrong argument type Time (expected LogStash::Timestamp)
What am I doing wrong?
For referenc this is a document indexed by elasticsearch:
{
"_index": "conn",
"_type": "doc",
"_id": "05pqY2MBZbpJx82QgqXO",
"_version": 1,
"_score": null,
"_source": {
"@version": "1",
"duration": 0.01403,
"history": "Dd",
"orig_pkts": 1,
"tunnel_parents": [],
"service": "dns",
"@timestamp": "2018-05-15T10:48:18.335Z",
"orig_bytes": 41,
"resp_pkts": 1,
"conn_state": "SF",
"times_created": "2018-05-15T10:48:18.335Z",
"proto": "udp",
"dst_port": 53,
"tags": [
"conn"
],
"src_port": 35180,
"path": "/var/log/conn.log",
"local_orig": true,
"resp_bytes": 91,
"orig_ip_bytes": 69,
"missed_bytes": 0,
"resp_ip_bytes": 119,
"local_resp": false,
"uid": "CtVSb32rVU7FY8Owa1",
"dst_addr": "134.64.2.50",
"host": "logstash",
"src_addr": "172.20.0.156"
},
"fields": {
"@timestamp": [
"2018-05-15T10:48:18.335Z"
],
"times_created": [
"2018-05-15T10:48:18.335Z"
]
},
"highlight": {
"tags": [
"@kibana-highlighted-field@conn@/kibana-highlighted-field@"
]
},
"sort": [
1526381298335
]
}