Thanks Ed - tried that earlier and there were issues. However, I have literally just found the answer thanks to another article: https://discuss.elastic.co/t/keeping-global-variables-in-ls/39908.
Relevant portion of the code updated:
if [message] =~ "^zzz" {
grok {
match => ["message", "%{DATA:field1} +%{DATA:field2} +%{MONTH:month} +%{NUMBER:day} +%{TIME:time} +%{DATA:field4} +%{YEAR:year}"]
}
mutate {
add_field => {
"timestamp" => "%{day} %{month} %{year} %{time}"
}
}
ruby {
init => "@@timestamp = ''"
code => "@@timestamp = event['timestamp']"
}
drop {}
} else {
grok {
match => ["message", "%{DATA:device} +%{NUMBER:read_request_merge_avg:float} +%{NUMBER:write_request_merge_avg:float} +%{NUMBER:read_iops_avg:float} +%{NUMBER:write_iops_avg:float} +%{NUMBER:kB_read_avg:float} +%{NUMBER:kB_write_avg:float} +%{NUMBER:avg_sector_size:float} +%{NUMBER:avg_queue_size:float} +%{NUMBER:io_wait_time_ms:float} +%{NUMBER:io_service_time_ms:float} +%{NUMBER:disk_util_perc:float}"]
}
ruby {
code => "event['timestamp'] = @@timestamp"
}
}
Simple when you know how!