Subtract term X from Y on the same log?

tomer · September 17, 2017, 6:02am

How can I Subtract term X from Y on the same log?
I saw this, but it doesn't do any arithmetical use. (This uses mutate).
I also tried through a scripted field in Kibana but the fields are not saved in ES and I need to later use them.

P.S.
I also tried through the ruby filter:

    event['delay'] = (event['old1']-event['old2'])

but it didnt result with any thing

Help will be greatly appreciated.

tomer · September 17, 2017, 8:44am

Found an answer here:

filter {
  if [received_at] and [@timestamp] {
    ruby {
      init => "require 'time'"
      code => "
        received_by_indexer = Time.iso8601(event['received_at'].to_s).to_i;
        time_in_event = Time.iso8601(event['@timestamp'].to_s).to_i;
        event['time_difference_in_seconds'] = received_by_indexer - time_in_event;
        event['epoch_received_at_in_seconds'] = received_by_indexer;
        event['epoch_timestamp_in_seconds'] = time_in_event;
        "
      add_tag => [ "calculated_time_difference" ]
    }
  }
}

system · October 15, 2017, 8:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Ruby filter to subtract difference between two timestamps in single event Logstash	5	26264	July 6, 2017
Query checking difference of two terms in a log Elasticsearch	10	2708	October 3, 2017
How to calculate timediff of two fields in the same event Logstash	3	3683	December 4, 2017
Timestamp difference calculation Logstash	6	7115	December 6, 2017
Elapsed time between consecutive logs Logstash	5	916	September 14, 2017

Subtract term X from Y on the same log?

Related topics