Version: 3.3.1

time

Time{stamp} manipulation

In its simplest use, time attaches a timestamp with the current date and time to a JSON record, with a default ISO UTC format, with millisecond precision.

Field Name	Description	Type	Default
condition	Only run this action if the condition the specified condition is met	expression	-
input-field	Use incoming time, instead of current system time	field	-
output-field	A field where data is to be written	field	@timestamp
input-timezone	Select timezone of outgoing timestamp, instead of using UTC	string	-
output-timezone	Select timezone of outgoing timestamp, instead of using UTC	iana-timezone	-
input-format	Determine input format of timestamp	time-format	default_iso
input-formats	Handling data that has no uniform timestamp format	array of time-formats	-
output-format	Determine output format of timestamp	time-format	default_iso
when	Use for marking events that fulfill some time range	array of time-ranges	-
output-tag	Additional field to add when a `when` matches	string	-
output-fields	Additional fields to add when a `when` matches	array of (field,value) pairs	-
time-range-start-field	Use to save beginning timestamp of given time range	field	-
time-range-length-field	Use to save length of given time range, in seconds	field	-
local	Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed	string	utc
add-time	Add the specified amount of time to the timestamp (`now` is used if input-field is not specified)	duration	-
subtract-time	Subtract the specified amount of time from the timestamp (`now` is used if input-field is not specified)	duration	-
zero-time	Set the time component of the output time to 00:00:00.000	bool	false

condition

Only run this action if the condition the specified condition is met

Type: expression

input-field

Use incoming time, instead of current system time

Type: field

Example: Notice the default UTC ISO input and output formats

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}

Example: Without input-field we use current time. Note default fieldname.

input:

{}

action:

time:
  output-field: time

output:

{"@timestamp":"2020-02-03T15:34:55.149Z"}

output-field

A field where data is to be written

Type: field

Example

input:

{}

action:

time:
  output-field: T

output:

{"T":"2020-02-03T15:34:55.149Z"}

input-timezone

Select timezone of outgoing timestamp, instead of using UTC

The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Type: string

output-timezone

Select timezone of outgoing timestamp, instead of using UTC

The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Type: iana-timezone

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time
  output-timezone: Africa/Johannesburg

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T17:34:55.149+02:00"}

input-format

Determine input format of timestamp

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
epoch_secs is "%s".
epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Type: time-format

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time
  input-format: default_iso

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}

Example

input:

{"time":1580744095}

action:

time:
  input-field: time
  input-format: epoch_secs

output:

{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}

Example

input:

{"time":1580744095}

action:

time:
  input-field: time
  input-format: epoch_secs

output:

{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}

Example

input:

{"time":1580744095149}

action:

time:
  input-field: time
  input-format: epoch_msecs

output:

{"time":1580744095149,"@timestamp":"2020-02-03T15:34:55.149Z"}

input-formats

Handling data that has no uniform timestamp format

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
epoch_secs is "%s".
epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Note: The formats are used according to the order they appear, meaning that whenever one format fails to match, the next is tried.

Type: array of time-formats

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149}

action:

time:
  input-field: time
  input-formats:
    - default_iso
    - epoch_frac_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149,"@timestamp":"2020-02-03T15:34:55.149Z"}

output-format

Determine output format of timestamp

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
epoch_secs is "%s".
epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Type: time-format

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095}

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_frac_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095.149}

Example

input:

{"time":"2020-01-01T00:00:00.000Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_msecs

output:

{"time":"2020-01-01T00:00:00.000Z","@timestamp":1577836800000}

Example

input:

{"time":"2020-01-01T00:00:00.000Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: '%Y-%m-%d'

output:

{"time":"2020-01-01T00:00:00.000Z","@timestamp":"2020-01-01"}

when

Use for marking events that fulfill some time range

Works with existing time field

Type: array of time-ranges

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
    - 'sat:09:00-13:00'
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":true}
{"time":"2020-02-03T17:34:55.149Z"}

output-tag

Additional field to add when a when matches

Note that the value is always a string. Prefer output-fields above

Type: string

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
    - 'sat:09:00-13:00'
  output-tag: business-hours=true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":"true"}
{"time":"2020-02-03T17:34:55.149Z"}

output-fields

Additional fields to add when a when matches

Type: array of (field,value) pairs

time-range-start-field

Use to save beginning timestamp of given time range

Type: field

Example

input:

{"time":"2020-02-03T12:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
  time-range-start-field: start
  time-range-length-field: len
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T12:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}

time-range-length-field

Use to save length of given time range, in seconds

Type: field

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
  time-range-start-field: start
  time-range-length-field: len
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}

local

Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed

Type: string

add-time

Add the specified amount of time to the timestamp (now is used if input-field is not specified)

Type: duration

subtract-time

Subtract the specified amount of time from the timestamp (now is used if input-field is not specified)

Type: duration

zero-time

Set the time component of the output time to 00:00:00.000

Type: bool

time

condition​

input-field​

output-field​

input-timezone​

output-timezone​

input-format​

input-formats​

output-format​

when​

output-tag​

output-fields​

time-range-start-field​

time-range-length-field​

local​

add-time​

subtract-time​

zero-time​

condition

input-field

output-field

input-timezone

output-timezone

input-format

input-formats

output-format

when

output-tag

output-fields

time-range-start-field

time-range-length-field

local

add-time

subtract-time

zero-time