13671

Change date on event created by Elapsed or Aggregate filters

Question:

When using new_event_on_match with elapsed filter a new event is created, with a fresh timestamp. The Aggregate filter adds a new event with a fresh timestamp as well.

I would like to use the timestamp from the original events, which is now available in the field elapsed_timestamp_start. How can I replace @timestamp in the newly created event?

Can I use a Date filter inside an Elapsed filter?

Answer1:

For starters, just note that only the elapsed filter creates a new event, the aggregate filter doesn't and will push whatever information has been aggregated so far into the last event.

In order to provide some context, the previous question you're referring to is <a href="https://stackoverflow.com/questions/37353365/calculating-time-between-events" rel="nofollow">this one</a>.

You can achieve what you want, simply by adding a date filter just after the last elapsed filter, so as to modify the event newly created by the upstream elapsed filter. Also note that we first need to convert the elapsed_timestamp_start field to a string before trying to match the date because it's a Logstash timestamp object (created by the elapsed filter)

if "elapsed" in [tags] { mutate { convert => {"elapsed_timestamp_start" => "string"} } date { match => ["elapsed_timestamp_start", "ISO8601"] } }

Recommend

  • spawn random images in canvas in javascript
  • How to handle exception using Timer (Thread) class
  • Hive command line Select query time taken incorrect if its not map reduce job in the background
  • Get predicate execution time in seconds
  • Modifying files nested in tar archive
  • Getting proper map boundaries
  • Why does this empty dict break shared references?
  • limited threads in soapUI free version
  • Spring Batch restart uncompleted jobs from the same execution and step
  • How can I stop my python script when another python script is running?
  • Delete std::shared_ptr without destroying the managed object?
  • How to send control C to Mac Terminal using python?
  • C++ Pointer Arrays
  • Sending Content-Type application/x-www-form-urlencoded WSO2 ESB
  • Granting permissions to Azure Active Directory Web Application automatically
  • Is there any way to call saveCurrentTurnWithMatchData without sending a push notification?
  • Angular Bootstrap Carousel Slide Transition not working correctly
  • Counting problem C#
  • What Makes These Two Array Adds Different?
  • Bigquery event streaming and table creation
  • Updating both a ConcurrentHashMap and an AtomicInteger safely
  • SAXReader not re-ecape characters
  • Cannot upload to OneDrive using the new SDK
  • Redux Form - Not able to type anything in input
  • Silverlight DependencyProperty.SetCurrentValue Equivalent
  • Checking free space on FTP server
  • Change Inet root folder for iis 7
  • MongoDB in PHP using aggregate to group by _id is null not working
  • Linq Objects Group By & Sum
  • Retrieving value from sql ExecuteScalar()
  • Illegal mix of collations for operation for date/time comparison
  • Javascript Callbacks with Object constructor
  • Release, debug version and Authorization Google?
  • R: gsub and capture
  • AT Commands to Send SMS not working in Windows 8.1
  • using conditional logic : check if record exists; if it does, update it, if not, create it
  • KeystoneJS: Relationships in Admin UI not updating
  • Hits per day in Google Big Query
  • Checking variable from a different class in C#
  • How to push additional view controllers onto NavigationController but keep the TabBar?