Logstash date difference in minutes

(Dallas Toth) #1

I am looking for some direction on filters. I have a event with a startdatetime and enddatetime I need to add a field to the same event which is the difference in minutes. Elapse won't work since the startdatetime and enddatetime are in the same event. I need to add a new field called minutes that is a calculation of enddatetime - startdatetime.

(Dallas Toth) #2

I figured it out. With a help from a post from @ottignon

ruby {
init => "require 'time'"
code => "startdatetime = Time.iso8601(event['[records][start_date]'].to_s).to_i;
enddatetime = Time.iso8601(event['[records][end_date]'].to_s).to_i;
event['seconds'] = enddatetime - startdatetime;
event['minutes'] = (enddatetime - startdatetime) / 60;
event['hours'] = ((enddatetime - startdatetime) / 60) / 60;"

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.