Logstash date filter in UNIX_MS from two fields

Frances_Buontempo · September 6, 2017, 12:21pm

I have some data from snort which has two subfields, in an !event¬ fields:
"event-microsecond" => 289367,
"event-second" => 1493741082,

I am trying to compose these into a float and then tell Elasticsearch it's the timestamp field.

filter {
mutate { add_field =>
{ "full_timestamp" => "[event][event-second].[event][event-microsecond]" }
}
mutate { convert => { "full_timestamp" => "float" } }
date {
locale => "en"
match => ["full_timestamp", "UNIX_MS" ]
target => "@timestamp"
}
}
give me 0.0 for the full_timestamp, so I'm doing something wrong when I try to make the new field.

I then tried
mutate { add_field => { "full_timestamp" => "%{[event][event-second]}.%{[event][event-microsecond]}" } }
and got
"full_timestamp" => 1493741082.289367,
"@timestamp" => 1970-01-18T06:55:41.082Z,

The new field looks about right, but the date is wrong by miles; it should be 2nd May 2017.

magnusbaeck · September 6, 2017, 1:35pm

UNIX_MS expects the input to be the time in milliseconds since the epoch, so to get the expected results you'll want full_timestamp to contain 1493741082289. You can use a ruby filter to divide event-microsecond by 1000 to turn it into milliseconds, then use a mutate filter to simply concatenate event-second and event-microsecond (with no intervening decimal point). Well, the concatenation could of course also be done with the same ruby filter.

Frances_Buontempo · September 6, 2017, 2:03pm

I don't know much ruby but have tried this which seems to work:
(advice on something neater more than welcome)

filter {
    ruby {
      code => "s = sprintf('%03d', (event.get('[event][event-microsecond]').to_i/1000)); s = s + '000'; event.set('milliseconds', s[0..2])"
      add_tag => ["ran the code"]
    }

    mutate { add_field =>
      { "full_timestamp" => "%{[event][event-second]}%{milliseconds}" }
    }
    mutate { convert => { "full_timestamp" => "integer" } }
    date  {
        locale => "en"
        match => ["full_timestamp", "UNIX_MS" ]
        target => "@timestamp"
    }
}

giving:
"milliseconds" => "289",
"full_timestamp" => 1493741082289,
"@timestamp" => 2017-05-02T16:04:42.289Z,

magnusbaeck · September 6, 2017, 2:09pm

Shorter:

event.set('full_timestamp', event.get('[event][event-second]').to_s + (event.get('[event][event-microsecond]') / 1000).to_s)

Frances_Buontempo · September 6, 2017, 2:16pm

Still leaving the mutate to make it an integer?

magnusbaeck · September 6, 2017, 2:24pm

No, you can drop that if you want.

Frances_Buontempo · September 6, 2017, 2:26pm

Perfect.
Is the date plugin treating it as an integer, so the ruby?

magnusbaeck · September 6, 2017, 2:52pm

The date filter parses strings. I'm sure it's fine with parsing an integer field but it'll start with converting the integer into a string.

Frances_Buontempo · September 7, 2017, 12:31pm

One final observation,

I suspect I need
'[event][event-second]').to_s + (event.get('[event][event-microsecond]') / 1000000).to_s)
to change microseconds (I had /1000 before, which is milliseconds)

magnusbaeck · September 7, 2017, 12:59pm

The desired result is milliseconds so it's correct to divide by 1000. The input is 1493741082 and 289367 and you want 1493741082289.

system · October 5, 2017, 12:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date filter with nano seconds Logstash	2	1851	April 22, 2017
Convert NanoSecond Unix timestamp Logstash	9	1182	February 28, 2023
Timestamp to epoch in microseconds - am I doing this right? Logstash	4	7576	December 7, 2017
How to index nanoseconds precision events with Logstash (7.10) and type date_nanos Logstash	1	5417	February 21, 2021
Logstash: convert date string to timestamp in millisecond Logstash	7	5795	July 6, 2017

Logstash date filter in UNIX_MS from two fields

Related topics