You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems to me, if a dissection is using append fields to define the various date elements only to reassemble them so a date filter can parse the full date again, that this is a wasted opportunity to utilise the date elements to build a @timestamp (or other) field from the elements.
Similar to the Ruby constructor Time.new(year, month=nil, day=nil, hour=nil, min=nil, sec=nil, utc_offset=nil). or the Joda constructor DateTime(int year, int monthOfYear, int dayOfMonth, int hourOfDay, int minuteOfHour, int secondOfMinute, int millisOfSecond, DateTimeZone zone)
Proposal:
The dates directive is a Map. It has a mix of values for string keys.
If the value is an array then the key is the new date field name and the array contains the fields names in the event hold the values for Y, M, D, h, m, s, S, Z. These fields will be removed from the event on date add success. Any number of these dates can be defined.
If the value is a map and the key == "defaults, then the map contains default values - used like so: val = event.get(key) || defaults.get(key) (adjusted for Java) internally.
The text was updated successfully, but these errors were encountered:
It seems to me, if a dissection is using append fields to define the various date elements only to reassemble them so a date filter can parse the full date again, that this is a wasted opportunity to utilise the date elements to build a @timestamp (or other) field from the elements.
Example:
dissection -
"%{mon} %{day} %{yr} %{hr}:%{min}:%{sec} %{machine} %{program}"Sample message -
Mar 16 2017 00:01:25 fancy pantsOne could use a new directive, for example:
Similar to the Ruby constructor
Time.new(year, month=nil, day=nil, hour=nil, min=nil, sec=nil, utc_offset=nil). or the Joda constructorDateTime(int year, int monthOfYear, int dayOfMonth, int hourOfDay, int minuteOfHour, int secondOfMinute, int millisOfSecond, DateTimeZone zone)Proposal:
The dates directive is a Map. It has a mix of values for string keys.
If the value is an array then the key is the new date field name and the array contains the fields names in the event hold the values for Y, M, D, h, m, s, S, Z. These fields will be removed from the event on date add success. Any number of these dates can be defined.
If the value is a map and the key == "defaults, then the map contains default values - used like so:
val = event.get(key) || defaults.get(key)(adjusted for Java) internally.The text was updated successfully, but these errors were encountered: