I am planning to create a time difference betwen one logstash and another so in second one i made a ruby code to make a time difference. Although i am quite there i need to not add a field to an event but to create a new event with that how could i do it ?
I tried
code => '["delta_time"] = Time.now.to_i - event["@timestamp"].to_i '
but it gives an error.
So were you able to do it ? i have a similar usecase can i get your help?
hi, try:
ruby {
code => "event['delta_time'] = Time.now.to_i - event['@timestamp'].to_i"
}
that should be at least the right logstash syntax
"Time.now.to_i " what does it tell? can you share your config file? actually i want calculate time difference between each event so that i can see which even had maximum gap and should look into it.
Please help
ok i got it what it does. can we subtract present event with last event time difference?
i am facing an issue that when i take timestamp (one of the field in my logs) when i use to_i with it it takes just year .
"time" => 2015,
when my config was : event['time'] = event['timestamp'].to_i
so result is coming wrong
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.