I think it's always nice to ask an actual question in a post. Anyway, you can do that easily with a Ruby filter:
ruby {
code => 'event.set("lag", event.get("@timestamp")-event.get("event_timestamp"))'
}
1 Like