Change date on event created by Elapsed or Aggrega

2019-09-02 07:49发布

站内问答 / 后端开发
946 1 5

When using new_event_on_match with elapsed filter a new event is created, with a fresh timestamp. The Aggregate filter adds a new event with a fresh timestamp as well.

I would like to use the timestamp from the original events, which is now available in the field elapsed_timestamp_start. How can I replace @timestamp in the newly created event?

Can I use a Date filter inside an Elapsed filter?

1条回答
对你真心纯属浪费
2楼-- · 2019-09-02 08:32

For starters, just note that only the elapsed filter creates a new event, the aggregate filter doesn't and will push whatever information has been aggregated so far into the last event.

In order to provide some context, the previous question you're referring to is this one.

You can achieve what you want, simply by adding a date filter just after the last elapsed filter, so as to modify the event newly created by the upstream elapsed filter. Also note that we first need to convert the elapsed_timestamp_start field to a string before trying to match the date because it's a Logstash timestamp object (created by the elapsed filter)

  if "elapsed" in [tags] {
    mutate {
      convert => {"elapsed_timestamp_start" => "string"}
    }
    date {
      match => ["elapsed_timestamp_start", "ISO8601"]
    }
  }
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)