Question about time addition by Ruby filter

smash · October 11, 2019, 3:42am

The following was correctly output to the "date_time_1" field after adding 9 hours to the date and time of "Timestamp".The following is the source

    ruby {
			 code => "event.set('tt',event.get('[@timestamp]').time.localtime('+09:00').strftime('%Y-%m-%d %H:%M:%S'))" 
    }

    mutate {
        add_field => {"date_time_1" => "%{[tt]}"}
	}

The problem is this
it was not output correctly after adding 9 hours to the date and time of IISLog output to the log.The value of the “date_time_1” field is “% {[tt]}”.
The following is the source

    #Input data byIISlog
    grok {
        match => ["message", "%{TIMESTAMP_ISO8601:date_time} %{GREEDYDATA:etc}"]
	}

    date {
    	match => [ "date_time", "YYYY-MM-dd HH:mm:ss"]
    	timezone => "Etc/GMT"
    	target => "date_time"
	}

    ruby {
			 code => "event.set('tt',event.get('[date_time]').time.localtime('+09:00').strftime('%Y-%m-%d %H:%M:%S'))" 
    }

    mutate {
        add_field => {"date_time_1" => "%{[tt]}"}
	}

What format does the IISLog date and time calculate with the Ruby filter? Please tell me.

Supplement
The IIS log "2019-01-01 01:23" UTC time.write
I want to convert this to "2019-01-01 10:23" and outputing.
Please let me know if you have any alternative means.
thanks

Badger · October 11, 2019, 3:40pm

Specify a different timezone in the date filter?

date {
    match => [ "date_time", "YYYY-MM-dd HH:mm:ss"]
    timezone => "Etc/GMT+9"
    target => "date_time"
}

smash · October 15, 2019, 1:55am

Badger

The reply was delayed during the holidays.
Thank you for your reply.

Even without using a Ruby script, we were able to achieve what we wanted to do with the description you taught us.

Thank you for teaching me.

system · November 12, 2019, 1:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.