I'm collecting logs using elastic agent. The problem is, in @timestamp field I have time when event actually happened, but I also need time when log arrived in logstash. I was thinking to use ruby(ruby { code => "event.set('systemtime', Time.now());" }) to get system time, but ruby is too slow. Also there arent any plugins with such functionality. Any suggestions?
Why do you say that?
Just my observations, i suppose
Respectfully, it would be better to use something numeric to demonstrate this "slowness".
But clearly if you want to insert value of "now" into a document you need to look up when "now" is. Is there more efficient way than the ruby code, which is variant on what is posted each time this Q is asked?
Well, I dont know if it would be faster, but there are hacky ways, like parsing /proc/uptime. But I don't think there is a "pure" way.
PS: Not directly related, but in thinking about this, I discovered recent versions of bash have
$ printf "%s\n%s\n" ${EPOCHREALTIME} ${EPOCHSECONDS}
1734525193.150271
1734525193
$ type -a printf
printf is a shell builtin
printf is /usr/bin/printf
which gives a exec/fork free way inside a shell script.