That was my very first attempt. The maths it produced was all wrong for some reason. I've actually got some working code now (but messy with string converversions though server resources on a tiny virtual machine seem to be coping fine with 5000 events a minute):
filter {
if [received_at] and [@timestamp] {
ruby {
init => "require 'time'"
code => "
received_by_indexer = Time.iso8601(event['received_at'].to_s).to_i;
time_in_event = Time.iso8601(event['@timestamp'].to_s).to_i;
event['time_difference_in_seconds'] = received_by_indexer - time_in_event;
event['epoch_received_at_in_seconds'] = received_by_indexer;
event['epoch_timestamp_in_seconds'] = time_in_event;
"
add_tag => [ "calculated_time_difference" ]
}
}
}
I guess this will need optimising but I hope this thread helps anyone else out there googling for a solution. Any obvious gotchas with the above?
Once again Craig, thank you very much for your time, I was expecting it to be years before anyone replied with anything at all 