I'm working with logstash for 2 weeks, and I've a question about modifing the data.
The device which generate syslogs is not at the right hour, so the logs aren't at the right hour too, and I'd like to know how can I add hours to the time field for finally generate the correct timestamp.
Thanks in advance for any help !
You can use the Ruby filter plugin to do this.
Below sample code will add 14 days to the value in field #timestamp.
Replace the field name and the numeric values in second with whatever you want.
ruby {
code => 'event.set("#timestamp", LogStash::Timestamp.new(Time.at(event.get("#timestamp").to_f+1209600)))'
}
Related
I've configured Grafana to use Elasticsearch as a data source and prepared a few panels.
My document in ES index contains only a few fields. It describes some system actions, respectively there are such fields as userId, action date, and others.
Now I faced with the issue that I can't calculate the amount of time left when the action happened. I mean if the action happened 2 days ago, I need to have the number 2 in my table. Pretty simple I supposed.
I couldn't find any metric or transformation that can allow me to do it.
Any suggestion, help, please.
Resolved my issue with scripted field.
In table visualization, I just picked any numeric field, selected Min metric, and added script like next:
Instant Currentdate = Instant.ofEpochMilli(new Date().getTime());
Instant Startdate = Instant.ofEpochMilli(doc['activity'].value.getMillis());
ChronoUnit.DAYS.between(Startdate, Currentdate);
As a result, it shows me the number I needed.
I don't find this solution the best, so in case anybody know some better way to resolve this issue, please add a comment.
I am working on grafana dashboard in that, I passing start time and end time from one dashboard to another using template variable. This is how I passing the value
var-startTime=2020-07-23T05:07:04Z&var-endTime=2020-07-23T05:11:31Z
In another dashboard, I get the variable values and pass to Lucene query like
#timestamp:[$startTime TO $endTime]
It's working fine. But here I want to get data prior to 15 minutes from start time and 15 minutes later from end time. How could I add and subtract 15 minutes with this time? I need something like this.
#timestamp:[$startTime-15m TO $endTime+15m]
How can I achieve this?
In the Lucene expression language you can do exactly that using the || anchor:
#timestamp:[2020-07-23T05:07:04Z||-15m TO 2020-07-23T05:11:31Z||+15m]
So I guess you can have something like
#timestamp:[$startTime||-15m TO $endTime||+15m]
I am using Elasticsearch 2.4 and I have a Groovy script. I have a field in my document say doc['created_unix_timestamp'] which is type integer and it holds Unix timestamp. In a search query's script, I am trying to get YYYYMM from that value.
For example, if doc['created_unix_timestamp'] is 1522703848, then in the scripting during a calculation, I want to convert it to as 201804 where first 4 digits are Year and last two are month (with padded 0, if required)
I tried:
Integer.parseInt(new SimpleDateFormat('YYYYMM').format(new Date(doc['created_unix_timestamp'])))
But it throws "compilation error" "TransportError(400, 'search_phase_execution_exception', 'failed to compile groovy script')" . Any idea how to get it work or what is the correct syntax?
A couple recommendations.
Reindex and make created_unix_timestamp a true date in elasticsearch. This will make all kinds of new querying possible (date range for example). This would be ideal.
If you can't reindex, then pull it back as an int from ES and then convert it to whatever you want client side, I wouldn't recommend pushing that work to the ES cluster.
As per the suggestion of Szymon Stepniak in above comment, I solved this issue by
(new Date(1522705958L*1000).format('yyyyMM')).toInteger()
Thanks and credit goes to Szymon Stepniak
I've created an agent that copies messages from one folder to another, which works great, but I'd like to modify the Time/Date stamp on the message.
I see a value Date in the Simple Action, but can't find the variable to set the time to "now".
Any help would be greatly appreciated.
you can use formula #Now but you can't modify the date you see in the first tab of document properties, you can only edit the field in the document.
These are my Requirements:
I need to get Updated JIRA issues through RSS Every 1 Hour or Minutes.
So how can I filter the issues for my requirements?
What I tried so far:
I have filtered like, updated > startOfDay(-0d) and updated < now()
First time it returns the all issues i created or modified to me. But after that it returns all the previous issues along with modified issues.
I need only
issues which modified between now() and before 1 hour.
How can I create a JQL query like this?
You want the following:
updated >= "-1h"
Just write a query with where clause updated BETWEEN LocalDateTime.now().minusHours(1) AND LocalDateTime.now()?
Also you need to pass starting date (in my example LocalDateTime.now() from JodaTime is used) in order to get real start time instead of current time. It may be few seconds later and you will not find several issues updated on the beginning of last hour.