I have a CSV that has multiple durations that are in seconds but one of the columns has the duration as 00:00:30 for 30 seconds for example. I cant work out how to get that into seconds/integer easily. I can think of a few ways, breaking it up into hours, minutes, seconds etc. I also tried using a date filter then converting the object with ruby to integer but that didn't work.
Is there an efficient way of doing this?
Using a date filter will not work unless you diff it with 00:00:00 because there are defaults for the other fields. I would go for "breaking it up into hours, minutes, seconds". What did you try and what did not work?
TEST REPLY
TEST REPLY 2
TEST REPLY 3
Hi Badger, finally got back to working on this.
Ended up doing the below which seems to be working well.
grok {
match => { "ConnectedTime" => "%{NUMBER:dur_hours}:%{NUMBER:dur_mins}:%{NUMBER:dur_secs}"}
}
ruby {
code => "
h = event.get('dur_hours').to_i / 3600
m = event.get('dur_mins').to_i / 60
s = event.get('dur_secs').to_i
event.set('ConnectedDuration', h + m + s).to_i
"
}
mutate {
remove_field => ["dur_hours", "dur_mins", "dur_secs"]
}
Surely "/ 3600" and "/ 60" should be "* 3600" and "* 60". Also, calling .to_i on the return value of event.set does nothing, you should remove that.
Personally I would move the remove_field into the ruby filter so that if something in those fields causes it to throw an exception those fields are not removed.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.