Retrieve Hour and Day from Timestamp

Elastic Stack Logstash
1

Hello!

My code here is getting the hour and day from a newly (and more accurate) timestamp. The timestamp is updated with a -0600 for the timezone. When I retrieve the hour from this timestamp, it doesn't include the fact that the timezone changed. So the hour is 6 hours ahead. How can I fix that?

(I know I can't just subtract 6 b/c then I run into all kinds of issues with 3pm - 6 = "a negative hour" ..etc)

  if [sourceType] == "zOS-SMF_030" {
    csv{
        columns => [  "Correlator", "SMF30LEN", "SMF30SEG", "SMF30FLG", "SMF30RTY", "SMF30PSN", "SMF30CL8", "SMF30ISS", "SMF30IET", "SMF30SSN", "SMF30EXN", "SMF30ASI", "SMF30COR" ]
        separator => ","
    }
    mutate { add_field => {
        "@SMF_TIMESTAMP" => "%{SMF30DTE} %{SMF30TME}"
    }}
    date {
        match => ["@SMF_TIMESTAMP", "YYYY-MM-dd HH:mm:ss:SSS"]
        target => "@SMF_TIMESTAMP"
        timezone => "-0600"
    }
    ruby {
      code => "event.set('[day_of_week]',event.get('@SMF_TIMESTAMP').time.strftime('%a'))
      event.set('[hour]',event.get('@SMF_TIMESTAMP').time.strftime('%H'))
      event.set('[day]',event.get('@SMF_TIMESTAMP').time.strftime('%d'))"
    }
    mutate {
      convert => {
        "day" => "integer"
        "hour" => "integer"
      }
    }
  }

Here's an image to help explain:

image

As you can see the timestamp shows 10am but the hour field shows 16 (4pm)

2

If that image is from kibana then note that kibana, by default, will have adjusted @SMF_TIMESTAMP to the timezone of the browser. It will not be doing that with [hour].

If you want to extract the hour in the local timezone of the log then use another date filter with timezone => UTC and run your ruby code against the output of that.

1 Like
3

Ok, I'll give that a shot and post here whether or not it works

4

This worked like a charm. Thanks!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.