time

Time{stamp} manipulation

In its simplest use, time attaches a timestamp with the current date and time to a JSON record, with a default ISO UTC format, with millisecond precision.

Field NameDescriptionTypeDefault
input-fieldUse incoming time, instead of current system timestring-
output-fieldA field where data is to be writtenstring@timestamp
input-timezoneSelect timezone of outgoing timestamp, instead of using UTCstring-
output-timezoneSelect timezone of outgoing timestamp, instead of using UTCiana-timezone-
output-formatDetermine output format of timestamptime-formatdefault_iso
input-formatDetermine input format of timestamptime-formatdefault_iso
input-formatsHandling data that has no uniform timestamp formatarray of time-format-
whenUse for marking events that fulfill some time rangearray of time-range-
output-tagAdditinal field to add when a when matchesstring-
output-fieldsAdditional fields to add when a when matchesarray of (field,value) pairs-
time-range-start-fieldUse to save beginning timestamp of given time rangefield-
time-range-length-fieldUse to save length of given time range, in secondsfield-

input-field

Use incoming time, instead of current system time

Type: string

Example: Notice the default UTC ISO input and output formats

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}

Example: Without input-field we use current time. Note default fieldname.

input:

{}

action:

time:
  output-field: time

output:

{"@timestamp":"2020-02-03T15:34:55.149Z"}

output-field

A field where data is to be written

Type: string

Example

input:

{}

action:

time:
  output-field: T

output:

{"T":"2020-02-03T15:34:55.149Z"}

input-timezone

Select timezone of outgoing timestamp, instead of using UTC

The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Type: string

output-timezone

Select timezone of outgoing timestamp, instead of using UTC

The timezones are in the IANA formats specified at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Type: iana-timezone

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time
  output-timezone: Africa/Johannesburg

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T17:34:55.149Z"}

output-format

Determine output format of timestamp

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

  • default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
  • epoch_secs is "%s".
  • epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
  • epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Type: time-format

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095}

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_frac_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":1580744095.149}

Example

input:

{"time":"2020-01-01T00:00:00.000Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: epoch_msecs

output:

{"time":"2020-01-01T00:00:00.000Z","@timestamp":1577836800000}

Example

input:

{"time":"2020-01-01T00:00:00.000Z"}

action:

time:
  input-timezone: UTC
  input-field: time
  output-format: '%Y-%m-%d'

output:

{"time":"2020-01-01T00:00:00.000Z","@timestamp":"2020-01-01"}

input-format

Determine input format of timestamp

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

  • default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
  • epoch_secs is "%s".
  • epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
  • epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Type: time-format

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}

action:

time:
  input-field: time
  input-format: default_iso

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}

Example

input:

{"time":1580744095}

action:

time:
  input-field: time
  input-format: epoch_secs

output:

{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}

Example

input:

{"time":1580744095}

action:

time:
  input-field: time
  input-format: epoch_secs

output:

{"time":1580744095,"@timestamp":"2020-02-03T15:34:55.000Z"}

Example

input:

{"time":1580744095149}

action:

time:
  input-field: time
  input-format: epoch_msecs

output:

{"time":1580744095149,"@timestamp":"2020-02-03T15:34:55.149Z"}

input-formats

Handling data that has no uniform timestamp format

The full format specification can be found here: https://docs.rs/chrono/0.4.9/chrono/format/strftime/index.html#specifiers

In addition, there are some convenient shortcuts:

  • default_iso is "%Y-%m-%dT%H:%M:%S%.3fZ" (which is otherwise the default when format is not specified)
  • epoch_secs is "%s".
  • epoch_frac_secs is seconds since Unix Epoch, but with millisecond fractions
  • epoch_msecs is "milliseconds since Unix Epoch" which is commonly used in JavaScript.

Type: array of time-format

Example

input:

{"time":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149}

action:

time:
  input-field: time
  input-formats:
    - default_iso
    - epoch_frac_secs

output:

{"time":"2020-02-03T15:34:55.149Z","@timestamp":"2020-02-03T15:34:55.149Z"}
{"time":1580744095.149,"@timestamp":"2020-02-03T15:34:55.149Z"}

when

Use for marking events that fulfill some time range

works with existing time field

Type: array of time-range

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
    - 'sat:09:00-13:00'
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":true}
{"time":"2020-02-03T17:34:55.149Z"}

output-tag

Additinal field to add when a when matches

note that the value is always a string. Prefer output-fields above

Type: string

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
    - 'sat:09:00-13:00'
  output-tag: business-hours=true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":"true"}
{"time":"2020-02-03T17:34:55.149Z"}

output-fields

Additional fields to add when a when matches

Type: array of (field,value) pairs

time-range-start-field

Use to save beginning timestamp of given time range

Type: field

Example

input:

{"time":"2020-02-03T12:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
  time-range-start-field: start
  time-range-length-field: len
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T12:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}

time-range-length-field

Use to save length of given time range, in seconds

Type: field

Example

input:

{"time":"2020-02-03T14:34:55.149Z"}
{"time":"2020-02-03T17:34:55.149Z"}

action:

time:
  input-field: time
  when:
    - 'mon-fri:09:00-17:00'
  time-range-start-field: start
  time-range-length-field: len
  output-fields:
    - business-hours: true

output:

{"time":"2020-02-03T14:34:55.149Z","business-hours":true,"start":1580713200,"len":28800}
{"time":"2020-02-03T17:34:55.149Z","start":1580713200,"len":28800}