Using event API for timestamp formatting

arnold79 · May 11, 2017, 11:08am

Hi all,

I need to escalate events towards a separate output. The events are received in UTC timezone and need to be converted to Europe/Amsterdam. I've created a date filter to add additional two hours and ruby filter to put it back in the correct format. But I' can't get it working

I have the following code and tried the following configs. Inspired on the event API documentation, but better ideas are welcome .

Tried various options like event.sprintf, event.get with %{MMM dd HH:mm:ss} variable and even .strftime.
Below a the code that isn' working.

    filter {
      date {
        locale=> "en"
        match => ["timestamp", "MMM dd HH:mm:ss"]
        timezone => "Etc/GMT+2"
      }
      
      ruby {
       #code=> "event['localtimestamp'] =  event.sprintf('%{MMM dd HH:mm:ss}')"
    #code => "event.set('localtimestamp', event.sprintf(%{MMM dd HH:mm:ss}))"
    #code => "event.set('localtimestamp', event.get('%{MMM dd HH:mm:ss}'))"
    code => "event.set('localtimestamp', event.get(%{MMM dd HH:mm:ss}))"
   #code => "event.set('localtimestamp', event.get('@timestamp').strftime('%Y-%m-%d_%H-%M-%S'))"
      }
    }

Does anyone has an idea to convert the time from UTC to Europe/Amsterdam fully or partly ( only formatting) with Ruby filter + event API usage ?

arnold79 · May 11, 2017, 11:59am

I can say that the Ruby part of formatting is now almost working with following code (as string). I will update some new updates . Still curious how you guys are doing this !!

ruby {

code => "tstamp = event.get('@timestamp').to_i
        event.set('blaat', Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S'))"

}

Nico-DF · May 11, 2017, 12:01pm

Maybe you can create Time object directly if you have access to all timestamp fields

Time.new(event.get('year'), ...)

arnold79 · May 17, 2017, 2:53pm

HI @nico-DF,

thanks for your help.

I've got it working with the following config ( using a linux logstash agent with default europe/amsterdam timezone configured:

First get seconds from UTC timestamp and then format a string in our required timezone and syslog format using the Time lib.

filter {
date {
match => ["timestamp", "MMM dd HH:mm:ss"]
timezone => "UTC"
}

ruby {
code => "tstamp = event.get('@timestamp').to_i
event.set('epoch',tstamp)
event.set('syslogtime', Time.at(tstamp).strftime('%b %e %H:%M:%S'))"
}
}

system · June 14, 2017, 2:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.