Found an answer here:
filter {
if [received_at] and [@timestamp] {
ruby {
init => "require 'time'"
code => "
received_by_indexer = Time.iso8601(event['received_at'].to_s).to_i;
time_in_event = Time.iso8601(event['@timestamp'].to_s).to_i;
event['time_difference_in_seconds'] = received_by_indexer - time_in_event;
event['epoch_received_at_in_seconds'] = received_by_indexer;
event['epoch_timestamp_in_seconds'] = time_in_event;
"
add_tag => [ "calculated_time_difference" ]
}
}
}