This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

How to parse a variable to event timestamp

Posted on 04-26-2025 04:06 AM
spartan_07
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a log : 
Sample : 

 

{
    "ts": "2025-04-26T01:45:26.126095Z",
    "adminName": "",
    "adminEmail": "",
    "adminId": "",
    "networkName": "Delhi",
    "networkId": "",
    "networkUrl": "",
    "ssidName": null,
    "ssidNumber": null,
    "page": "Overview",
    "label": "",
    "oldValue": "",
    "newValue": "",
    "client": {
        "id": ,
        "type": 
    }

I want to use the ts variable and put it in metadata.event_timestamp variable . 

How can I parse it? 
Below is a sample parser : 

filter {
        json {
            source => "message"
            array_function => "split_columns"
            on_error => "not_json_format"
        }

        mutate {
            replace => {
                "src_present" => "false"
                "event1.idm.read_only_udm.metadata.vendor_name" => "Meraki"
                "event1.idm.read_only_udm.metadata.product_name" => "Dashboard"
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
        }
 
   mutate {
      merge => { "@output" => "event1" }
    }         
}

Can anyone help?

 

0 1 144
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
James_E
Staff
Reply posted on --/--/---- --:-- AM

@spartan_07  Below is a code snippet doing that exact thing. An example is also available in the docs too. Here was the example raw JSON:

{
  "country": "US",
  "target_user": {
    "uuid": "FTASPXQHWRF3XMJDLGKWBMZ2LI",
    "name": "Stephanie Badum",
    "email": "abc.def.@demo.com"
  },
  "location": {
    "country": "US",
    "region": "California",
    "city": "Hawthorne",
    "latitude": 33.9168,
    "longitude": -118.3432
  },
  "category": "success",
  "type": "mfa_ok",
  "details": null,
  "client": {
    "os_name": "Windows",
    "os_version": "10.0",
    "ip_address": "2603:8000:7600:c4e1:4db:400b:ff2:6626",
    "app_name": "1Password Browser Extension",
    "app_version": "20216",
    "platform_name": "Chrome",
    "platform_version": "89.0.4389.82"
  },
  "uuid": "EPNGUJLHFVHCXMJL5LJQGXTENA",
  "session_uuid": "UYA65VLTKZAMJAYVODY6BJ36VE",
  "ts": "2022-07-27T22:46:30.312374636Z"
}

Here is the parser assigning it to the UDM schema.

filter {
  json {
    source => "message"
    array_function => "split_columns"
  }
  grok {
      match => {
        "ts" => "%{TIMESTAMP_ISO8601:EventTime}"
      }
      on_error => "time_stamp_failure"
    }
    if [EventTime] != "" {
      date {
        match => ["EventTime", "ISO8601"]
        target => "event.idm.read_only_udm.metadata.event_timestamp"
      }
    }
}

 

Top Solution Authors
View all