time
Time{stamp} manipulation
In its simplest use, time attaches a timestamp with the current date and time to a JSON record, with a default ISO UTC format, with millisecond precision.
| Field Name | Description | Type | Default |
|---|---|---|---|
| condition | Only run this action if the condition the specified condition is met | expression | - |
| input-field | Use incoming time, instead of current system time | field | - |
| output-field | A field where data is to be written | field | @timestamp |
| input-timezone | Select timezone of outgoing timestamp, instead of using UTC | string | - |
| output-timezone | Select timezone of outgoing timestamp, instead of using UTC | iana-timezone | - |
| input-format | Determine input format of timestamp | time-format | default_iso |
| input-formats | Handling data that has no uniform timestamp format | array of time-formats | - |
| output-format | Determine output format of timestamp | time-format | default_iso |
| when | Use for marking events that fulfill some time range | array of time-ranges | - |
| output-tag | Additional field to add when a when matches | string | - |
| output-fields | Additional fields to add when a when matches | array of (field,value) pairs | - |
| time-range-start-field | Use to save beginning timestamp of given time range | field | - |
| time-range-length-field | Use to save length of given time range, in seconds | field | - |
| local | Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed | string | utc |
condition
Only run this action if the condition the specified condition is met
Type: expression
input-field
Use incoming time, instead of current system time
Type: field
Example: Notice the default UTC ISO input and output formats
input:
{"time":"2020-02-03T15:34:55.149Z"}
action:
time:
input-field: time
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
Example: Without input-field we use current time. Note default fieldname.
input:
{}
action:
time:
output-field: time
output:
{"@timestamp":"2020-02-03T15:34:55.149Z"}
output-field
A field where data is to be written
Type: field
Example
input:
{}
action:
time:
output-field: T
output:
{"T":"2020-02-03T15:34:55.149Z"}
input-timezone
Select timezone of outgoing timestamp, instead of using UTC
The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Type: string
output-timezone
Select timezone of outgoing timestamp, instead of using UTC
The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Type: iana-timezone
Example
input:
{"time":"2020-02-03T15:34:55.149Z"}
action:
time:
input-field: time
output-timezone: Africa/Johannesburg
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T17:34:55.149+02:00"}
input-format
Determine input format of timestamp
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.
Type: time-format
Example
input:
{"time":"2020-02-03T15:34:55.149Z"}
action:
time:
input-field: time
input-format: default_iso
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
Example
input:
{"time":1580744095}
action:
time:
input-field: time
input-format: epoch_secs
output:
{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}
Example
input:
{"time":1580744095}
action:
time:
input-field: time
input-format: epoch_secs
output:
{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}
Example
input:
{"time":1580744095149}
action:
time:
input-field: time
input-format: epoch_msecs
output:
{"time":1580744095149,"@timestamp":"2020-02-03T15:34:55.149Z"}
input-formats
Handling data that has no uniform timestamp format
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.
Note: The formats are used according to the order they appear, meaning that whenever one format fails to match, the next is tried.
Type: array of time-formats
Example
input:
{"time":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149}
action:
time:
input-field: time
input-formats:
- default_iso
- epoch_frac_secs
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149,"@timestamp":"2020-02-03T15:34:55.149Z"}
output-format
Determine output format of timestamp
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.
Type: time-format
Example
input:
{"time":"2020-02-03T15:34:55.149Z"}
action:
time:
input-timezone: UTC
input-field: time
output-format: epoch_secs
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095}
Example
input:
{"time":"2020-02-03T15:34:55.149Z"}
action:
time:
input-timezone: UTC
input-field: time
output-format: epoch_frac_secs
output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095.149}
Example
input:
{"time":"2020-01-01T00:00:00.000Z"}
action:
time:
input-timezone: UTC
input-field: time
output-format: epoch_msecs
output:
{"time":"2020-01-01T00:00:00.000Z","@timestamp":1577836800000}
Example
input:
{"time":"2020-01-01T00:00:00.000Z"}
action:
time:
input-timezone: UTC
input-field: time
output-format: '%Y-%m-%d'
output:
{"time":"2020-01-01T00:00:00.000Z","@timestamp":"2020-01-01"}
when
Use for marking events that fulfill some time range
Works with existing time field
Type: array of time-ranges
Example
input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
action:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
- 'sat:09:00-13:00'
output-fields:
- business-hours: true
output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":true}
{"time":"2020-02-03T17:34:55.149Z"}
output-tag
Additional field to add when a when matches
Note that the value is always a string. Prefer output-fields above
Type: string
Example
input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
action:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
- 'sat:09:00-13:00'
output-tag: business-hours=true
output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":"true"}
{"time":"2020-02-03T17:34:55.149Z"}
output-fields
Additional fields to add when a when matches
Type: array of (field,value) pairs
time-range-start-field
Use to save beginning timestamp of given time range
Type: field
Example
input:
{"time":"2020-02-03T12:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
action:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
time-range-start-field: start
time-range-length-field: len
output-fields:
- business-hours: true
output:
{"time":"2020-02-03T12:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}
time-range-length-field
Use to save length of given time range, in seconds
Type: field
Example
input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
action:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
time-range-start-field: start
time-range-length-field: len
output-fields:
- business-hours: true
output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}
local
Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed
Type: string