Action: time
Time{stamp} manipulation
In its simplest use, time attaches a timestamp with the current date and time to a JSON record, with a default ISO UTC format, with millisecond precision.
Field Summary
| Field Name | Type | Description | Default |
|---|---|---|---|
| condition | expression | Only run this action if the condition the specified condition is met | - |
| input-field | field | Use incoming time, instead of current system time | - |
| output-field | field | A field where data is to be written | @timestamp |
| input-timezone | string | Select timezone of outgoing timestamp, instead of using UTC | - |
| output-timezone | iana-timezone | Select timezone of outgoing timestamp, instead of using UTC | - |
| input-format | time-format | Determine input format of timestamp | default_iso |
| input-formats | array of time-formats | Handling data that has no uniform timestamp format | - |
| output-format | time-format | Determine output format of timestamp | default_iso |
| when | array of time-ranges | Use for marking events that fulfill some time range | - |
| output-tag | string | Additional field to add when a when matches | - |
| output-fields | array of (field,value) pairs | Additional fields to add when a when matches | - |
| time-range-start-field | field | Use to save beginning timestamp of given time range | - |
| time-range-length-field | field | Use to save length of given time range, in seconds | - |
| local | string | Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed | utc |
| add-time | duration | Add the specified amount of time to the timestamp (now is used if input-field is not specified) | - |
| subtract-time | duration | Subtract the specified amount of time from the timestamp (now is used if input-field is not specified) | - |
| zero-time | bool | Set the time component of the output time to 00:00:00.000 | false |
Fields
condition
Type: expression
Only run this action if the condition the specified condition is met
input-field
Type: field
Use incoming time, instead of current system time
Example: Notice the default UTC ISO input and output formats
Input:
{"time":"2020-02-03T15:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
Example: Without input-field we use current time. Note default fieldname.
Input:
{}
Pipe Language Snippet:
time:
output-field: time
Output:
{"@timestamp":"2020-02-03T15:34:55.149Z"}
output-field
Type: field
Default: @timestamp
A field where data is to be written
Example
Input:
{}
Pipe Language Snippet:
time:
output-field: T
Output:
{"T":"2020-02-03T15:34:55.149Z"}
input-timezone
Type: string
Select timezone of outgoing timestamp, instead of using UTC
The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
output-timezone
Type: iana-timezone
Select timezone of outgoing timestamp, instead of using UTC
The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Example
Input:
{"time":"2020-02-03T15:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
output-timezone: Africa/Johannesburg
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T17:34:55.149+02:00"}
input-format
Type: time-format
Default: default_iso
Determine input format of timestamp
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.epoch_nanosecsis thenanoseconds since the Unix Epoch
Example
Input:
{"time":"2020-02-03T15:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
input-format: default_iso
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
Example
Input:
{"time":1580744095}
Pipe Language Snippet:
time:
input-field: time
input-format: epoch_secs
Output:
{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}
Example
Input:
{"time":1580744095}
Pipe Language Snippet:
time:
input-field: time
input-format: epoch_secs
Output:
{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}
Example
Input:
{"time":1580744095149}
Pipe Language Snippet:
time:
input-field: time
input-format: epoch_msecs
Output:
{"time":1580744095149,"@timestamp":"2020-02-03T15:34:55.149Z"}
input-formats
Type: array of time-formats
Handling data that has no uniform timestamp format
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.epoch_nanosecsis thenanoseconds since the Unix Epoch
Example
Input:
{"time":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149}
Pipe Language Snippet:
time:
input-field: time
input-formats:
- default_iso
- epoch_frac_secs
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149,"@timestamp":"2020-02-03T15:34:55.149Z"}
output-format
Type: time-format
Alias: format
Default: default_iso
Determine output format of timestamp
The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers
In addition, there are some convenient shortcuts:
default_isois "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)epoch_secsis "%s".epoch_frac_secsis seconds since Unix Epoch, but with millisecond fractionsepoch_msecsis "milliseconds since Unix Epoch" which is commonly used in JavaScript.epoch_nanosecsis thenanoseconds since the Unix Epoch
Example
Input:
{"time":"2020-02-03T15:34:55.149Z"}
Pipe Language Snippet:
time:
input-timezone: UTC
input-field: time
output-format: epoch_secs
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095}
Example
Input:
{"time":"2020-02-03T15:34:55.149Z"}
Pipe Language Snippet:
time:
input-timezone: UTC
input-field: time
output-format: epoch_frac_secs
Output:
{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095.149}
Example
Input:
{"time":"2020-01-01T00:00:00.000Z"}
Pipe Language Snippet:
time:
input-timezone: UTC
input-field: time
output-format: epoch_msecs
Output:
{"time":"2020-01-01T00:00:00.000Z","@timestamp":1577836800000}
Example
Input:
{"time":"2020-01-01T00:00:00.000Z"}
Pipe Language Snippet:
time:
input-timezone: UTC
input-field: time
output-format: '%Y-%m-%d'
Output:
{"time":"2020-01-01T00:00:00.000Z","@timestamp":"2020-01-01"}
when
Type: array of time-ranges
Use for marking events that fulfill some time range
Works with existing time field
Example
Input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
- 'sat:09:00-13:00'
output-fields:
- business-hours: true
Output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":true}
{"time":"2020-02-03T17:34:55.149Z"}
output-tag
Type: string
Additional field to add when a when matches
Note that the value is always a string. Prefer output-fields above
Example
Input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
- 'sat:09:00-13:00'
output-tag: business-hours=true
Output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":"true"}
{"time":"2020-02-03T17:34:55.149Z"}
output-fields
Type: array of (field,value) pairs
Additional fields to add when a when matches
time-range-start-field
Type: field
Use to save beginning timestamp of given time range
Example
Input:
{"time":"2020-02-03T12:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
time-range-start-field: start
time-range-length-field: len
output-fields:
- business-hours: true
Output:
{"time":"2020-02-03T12:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}
time-range-length-field
Type: field
Use to save length of given time range, in seconds
Example
Input:
{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}
Pipe Language Snippet:
time:
input-field: time
when:
- 'mon-fri:09:00-17:00'
time-range-start-field: start
time-range-length-field: len
output-fields:
- business-hours: true
Output:
{"time":"2020-02-03T14:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}
local
Type: string
Default: utc
Possible Values: input, output, both, utc
Treat the following fields as using the local timezone, if none are specified the utc timezone is assumed
add-time
Type: duration
Add the specified amount of time to the timestamp (now is used if input-field is not specified)
subtract-time
Type: duration
Subtract the specified amount of time from the timestamp (now is used if input-field is not specified)
zero-time
Type: bool
Default: false
Set the time component of the output time to 00:00:00.000