Perhaps the coffee hasn’t kicked in yet… been trying to get this working and it just isn’t turning out right. Even my Google-fu is off…
Our VPN reports the number of seconds a person was connected and I want to report that in a more readable fashion… so rather than 3,700 seconds I could see 1 hour, 1 minute, 40 seconds … or p1h1m40s … or 01:01:40… I am sure I am once again missing something simple. my un-working rule:
rule "RA-Pulse-3-close"
when
has_field("pulse_appliance") &&
contains(to_string($message.message),"Closed connection to")
then
let pulseLine = grok("%{PULSE_VPN_3_CLOSE}",to_string($message.message), true);
set_fields(pulseLine);
set_field("timestamp_short",format_date(value: to_date($message.timestamp), format: "yyMMdd-EEEE hh:mm aa", timezone: "America/New_York"));
let duration = now() - now() - seconds(to_long($message.pulse_connectsec));
set_field("pulse_Connection_Time", duration);
end
In this iteration it throws the error:
For rule 'RA-Pulse-3-close': At 9:19 an exception was thrown: org.joda.time.Duration cannot be cast to java.lang.Double
Very interesting problem, but with simple solution. I’ve created and tried this snippet and it works as expected. I’ve used function parse_unix_milliseconds to parse number of vpn duration in seconds as unix time. After that I only extracted hours, minutes and seconds using functions hourOfDay, minuteOfDay and secondOfDay and concat in one string.
let vpn_duration = parse_unix_milliseconds(to_long($message.pulse_connectsec) * 1000);
let vpn_hours = vpn_duration.hourOfDay;
let vpn_minutes = vpn_duration.minuteOfHour;
let vpn_seconds = vpn_duration.secondOfMinute;
let build_message_0 = concat(to_string(vpn_hours), " hours, ");
let build_message_1 = concat(build_message_0, to_string(vpn_minutes));
let build_message_2 = concat(build_message_1, " minutes, ");
let build_message_3 = concat(build_message_2, to_string(vpn_seconds));
let build_message_4 = concat(build_message_3, " seconds");
set_field("pulse_Connection_Time", build_message_4);