Hello.
Every log has timestamp field, I need to create two fields - one before some seconds timestamp field and another some seconds after. Is there some easy way, something like:
set_field(“timestamp_x_seconds_before”, message.timestamp.plusSeconds(x));
set_field(“timestamp_x_seconds_after”, message.timestamp.minusSeconds(x));
Thx
P.S. I need this fields to set up time range in search for related logs, but its another story
rule "Add hour period time"
when
has_field("timestamp")
then
let unix_millis = to_long(parse_date(to_string($message.timestamp), "yyyy-MM-dd'T'HH:mm:ss.SSSZ").millis);
let hour_before = parse_unix_milliseconds(unix_millis - 3600000);
let hour_after = parse_unix_milliseconds(unix_millis + 3600000);
set_field( "timestamp_hour_before", format_date(hour_before,"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","your/timezone"));
set_field( "timestamp_hour_after", format_date(hour_after,"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","your/timezone"));
end