How to parse a variable to event timestamp

I have a log :
Sample :

{
    "ts": "2025-04-26T01:45:26.126095Z",
    "adminName": "",
    "adminEmail": "",
    "adminId": "",
    "networkName": "Delhi",
    "networkId": "",
    "networkUrl": "",
    "ssidName": null,
    "ssidNumber": null,
    "page": "Overview",
    "label": "",
    "oldValue": "",
    "newValue": "",
    "client": {
        "id": ,
        "type": 
    }

I want to use the ts variable and put it in metadata.event_timestamp variable .

How can I parse it?
Below is a sample parser :

filter {
        json {
            source => "message"
            array_function => "split_columns"
            on_error => "not_json_format"
        }

        mutate {
            replace => {
                "src_present" => "false"
                "event1.idm.read_only_udm.metadata.vendor_name" => "Meraki"
                "event1.idm.read_only_udm.metadata.product_name" => "Dashboard"
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
        }
 
   mutate {
      merge => { "@output" => "event1" }
    }         
}

Can anyone help?

Page 1 / 1

@spartan_07 Below is a code snippet doing that exact thing. An example is also available in the docs too. Here was the example raw JSON:

{
  "country": "US",
  "target_user": {
    "uuid": "FTASPXQHWRF3XMJDLGKWBMZ2LI",
    "name": "Stephanie Badum",
    "email": "abc.def.@demo.com"
  },
  "location": {
    "country": "US",
    "region": "California",
    "city": "Hawthorne",
    "latitude": 33.9168,
    "longitude": -118.3432
  },
  "category": "success",
  "type": "mfa_ok",
  "details": null,
  "client": {
    "os_name": "Windows",
    "os_version": "10.0",
    "ip_address": "2603:8000:7600:c4e1:4db:400b:ff2:6626",
    "app_name": "1Password Browser Extension",
    "app_version": "20216",
    "platform_name": "Chrome",
    "platform_version": "89.0.4389.82"
  },
  "uuid": "EPNGUJLHFVHCXMJL5LJQGXTENA",
  "session_uuid": "UYA65VLTKZAMJAYVODY6BJ36VE",
  "ts": "2022-07-27T22:46:30.312374636Z"
}

Here is the parser assigning it to the UDM schema.

filter {
  json {
    source => "message"
    array_function => "split_columns"
  }
  grok {
      match => {
        "ts" => "%{TIMESTAMP_ISO8601:EventTime}"
      }
      on_error => "time_stamp_failure"
    }
    if [EventTime] != "" {
      date {
        match => ["EventTime", "ISO8601"]
        target => "event.idm.read_only_udm.metadata.event_timestamp"
      }
    }
}

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded