Create two datetime fields in pipeline rule

Every log has timestamp field, I need to create two fields - one before some seconds timestamp field and another some seconds after. Is there some easy way, something like:
set_field(“timestamp_x_seconds_before”, message.timestamp.plusSeconds(x));
set_field(“timestamp_x_seconds_after”, message.timestamp.minusSeconds(x));


P.S. I need this fields to set up time range in search for related logs, but its another story

I did it in this way

rule "Add hour period time"

   let unix_millis = to_long(parse_date(to_string($message.timestamp), "yyyy-MM-dd'T'HH:mm:ss.SSSZ").millis);
   let hour_before = parse_unix_milliseconds(unix_millis - 3600000);
   let hour_after = parse_unix_milliseconds(unix_millis + 3600000);
   set_field( "timestamp_hour_before", format_date(hour_before,"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","your/timezone"));
   set_field( "timestamp_hour_after", format_date(hour_after,"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","your/timezone"));

Why not use this?
set_field("timestamp_hour_before", to_date($message.timestamp) - hours(1)); set_field("timestamp_hour_after", to_date($message.timestamp) + hours(1));

Definitely, it’s a better solution. Thanks!!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.