input {
generator {
message => "Jul 24 03:35:03 myhost metricbeat: 2020-07-24T03:35:03.788Z#011INFO#011[publisher]#011pipeline/retry.go:225#011 done"
count => 1
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:event_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
# create a date object from our matched field above
date {
match => ["event_timestamp", "MMM dd HH:mm:ss"]
target => ["event_timestamp"]
}
math {
calculate => [
[ "sub", "[@timestamp]", [event_timestamp], "[lag]" ]
]
}
}
output { stdout { codec => rubydebug } }
I think it's always nice to ask an actual question in a post. Anyway, you can do that easily with a Ruby filter:
ruby {
code => 'event.set("lag", event.get("@timestamp")-event.get("event_timestamp"))'
}
1 Like
Really not sure why you feel so entitled to tell others how to post (in a non-DRY fashion) but am grateful for your solution. I forgot all about the move to get and set methods.
Thank you.
I didn't mean to sound entitled. I just tried to say that, if you want others to take time to help you, it would be nice if one opened the post and there was more than just a wall of code. Maybe even an explanation what you tried and what happened.
It's all good. Thanks for helping me out of a jam. I owe you a bagel.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.