Hi all,
I had to calculate a new date field: given a timestamp and a offset I need to set a new field with the value timestamp+offset
I solved the problem but I'm sure that there is a better way to do it.
I use ruby code in order to calculate the new field, but it is calculated with the wrong timezone; then I use a temporary field and a date plugin again.
Anyone can help me to improve the solution?
(below the details)
Thanks a lot
Regards
Anna
logstash.conf
-
First I get the timestamp
date {
match => [ "ts", "yyyyMMddHHmmss" ]
timezone => "Europe/Andorra"
remove_field => [ "ts" ]
} -
Convert the offset to integer
mutate { convert => { "duration" => "integer" } } -
Calculate new temp field with ruby plugin. It returns a field of type "date" but with the wrong timezone
ruby { code => "event.set('ts_temp',event.get('@timestamp')+event.get('duration'))" } -
Using ruby I get a another temp field of type keyword. Using strftime a get the correct timezone
ruby { code => "event.set('ts_temp2',event.get('ts_temp').time.localtime.strftime('%Y-%m-%d:%H:%M:%S'))" } -
Finally I get the desired field using the date plugin
date {
match => [ "ts_temp2", "YYYY-MM-dd:HH:mm:ss"]
timezone => "UTC"
target => [ "ts_stop" ]
}
Here are the mappings
"ts_stop": {
"type": "date"
},
"ts_temp": {
"type": "date"
},
"ts_temp2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}