在logstash 中計算時間差的ruby code

在log 中， 經常出現2個時間，例如為開始時間和結束時間， 在導入elasticsearch 中，在logstash 中， 需要增加一個將時間差的欄位，無需另外的撰寫其他的落地程式。

"@timestamp": "2015-10-20T13:52:47.000Z" # this is when the host says the event occurred
"received_at": "2015-10-20T02:02:51.191Z" # this is when Logstash forwarder received the event

ruby code 範例

filter {
  if [received_at] and [@timestamp] {
  # calculate the time difference in seconds between two different timestamps and add return to event as a new field
    ruby {
      init => "require 'time'"
      code => "event['time_difference']= (Time.parse(event['received_at']).to_i) - (Time.parse(event['@timestamp']).to_i)"
      add_tag => [ "calculated_time_difference" ]
    }
  }
}

原始範例說明：