I have the below pipeline processor rule that allows me to extract the hour from the TimeStamp field.
rule "HourExtractor"
when
has_field("TimeStamp")
then
let Time = to_string($message.TimeStamp);
let Hour = grok("%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}", Time, true);
set_field("Hour", to_string(Hour));
end
It almost works as expected however when simulating with the following message:
If you’re trying to get the hour of the “timestamp” field (i. e. a real DateTime object), you could use the following rule:
rule "hour-extractor"
when
true // all messages have the "timestamp" field by default
then
let hour = $message.timestamp.hourOfDay;
set_field("hour", hour);
end
As for the grok() function, it returns a map, so you could use set_fields() to assign all results to the current message:
rule "HourExtractor"
when
has_field("TimeStamp")
then
let Time = to_string($message.TimeStamp);
let Hour = grok("%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}", Time, true);
set_fields(Hour);
end
We parse into camel case fields so TimeStamp is our normalized timestamp field, Windows Event logs come with the field timestamp and we had to use pipelines to copy the timestamp field to the TimeStamp field as using a copy extractor didn’t work. Using set fields worked perfectly, thank you for your help.
We are only using a stream that has rule hour matches regex (19|20|21|22|23|00|01|02|03|04|05|06) This allows us to see out of hours activity. However I will bear in mind your comment for future.
