Using already provided time period

111238 · May 28, 2021, 8:13am

Hello.

I have a bit of a problem here - i'm reseiving via syslog some data including uptime/downtime periods in format "HHhr:MMmin:SSsec".
There's no problem parsing it in an object like "downtime.<hr/min/sec>", but how do I use it as time units for further aggregations/calculations (for example - total downtime for 24 hours)?

A little example just to clarify:
Data: *blabla* was down for 23hrs:59mins:57sec
Pattern: %{NUMBER:f5_downtime.hr}[a-z]*:%{NUMBER:f5_downtime.mins}[a-z]*:%{NUMBER:f5_downtime.secs}[a-z]*

Badger · May 28, 2021, 5:03pm

I would use a ruby filter to convert them all to seconds and sum them

ruby {
    code => '
        total_downtime = 0
        hrs = event.get("f5_downtime.hr").to_i
        if hrs
            total_downtime += hrs * 3600
        end
        mins = event.get("f5_downtime.mins").to_i
        if mins
            total_downtime += mins * 60
        end
        secs = event.get("f5_downtime.secs").to_i
        if secs
            total_downtime += secs
        end
        event.set("f5_downtime.total", total_downtime)
    '
}

Topic		Replies	Views
Parse different time duration formats/units to common format Logstash	5	336	January 19, 2023
Calculation in mutate field Logstash	3	11162	July 6, 2017
Parsing execution metrics which are represented as TimeSpan Logstash	2	1415	July 6, 2017
How to convert the hrs and min to sec in the log file item Logstash	1	349	April 12, 2019
Change String to Hours - date filters Logstash	10	519	February 20, 2020

Using already provided time period

Related topics