This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

How to parse a variable to event timestamp

Posted on 04-26-2025 04:06 AM
spartan_07
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a log : 
Sample : 

 

{
    "ts": "2025-04-26T01:45:26.126095Z",
    "adminName": "",
    "adminEmail": "",
    "adminId": "",
    "networkName": "Delhi",
    "networkId": "",
    "networkUrl": "",
    "ssidName": null,
    "ssidNumber": null,
    "page": "Overview",
    "label": "",
    "oldValue": "",
    "newValue": "",
    "client": {
        "id": ,
        "type": 
    }

I want to use the ts variable and put it in metadata.event_timestamp variable . 

How can I parse it? 
Below is a sample parser : 

filter {
        json {
            source => "message"
            array_function => "split_columns"
            on_error => "not_json_format"
        }

        mutate {
            replace => {
                "src_present" => "false"
                "event1.idm.read_only_udm.metadata.vendor_name" => "Meraki"
                "event1.idm.read_only_udm.metadata.product_name" => "Dashboard"
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
        }
 
   mutate {
      merge => { "@output" => "event1" }
    }         
}

Can anyone help?

 

0 1 146
0 Likes
1 REPLY 1
Top Solution Authors
View all