How to parse a variable to event timestamp

I have a log :
Sample :

{

    "ts": "2025-04-26T01:45:26.126095Z",

    "adminName": "",

    "adminEmail": "",

    "adminId": "",

    "networkName": "Delhi",

    "networkId": "",

    "networkUrl": "",

    "ssidName": null,

    "ssidNumber": null,

    "page": "Overview",

    "label": "",

    "oldValue": "",

    "newValue": "",

    "client": {

        "id": ,

        "type": 

    }

I want to use the ts variable and put it in metadata.event_timestamp variable .

How can I parse it?
Below is a sample parser :

filter {
        json {
            source => "message"
            array_function => "split_columns"
            on_error => "not_json_format"
        }

        mutate {
            replace => {
                "src_present" => "false"
                "event1.idm.read_only_udm.metadata.vendor_name" => "Meraki"
                "event1.idm.read_only_udm.metadata.product_name" => "Dashboard"
                "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
            }
        }
 
   mutate {
      merge => { "@output" => "event1" }
    }         
}

Can anyone help?

Page 1 / 1

@spartan_07 Below is a code snippet doing that exact thing. An example is also available in the docs too. Here was the example raw JSON:

{

  "country": "US",

  "target_user": {

    "uuid": "FTASPXQHWRF3XMJDLGKWBMZ2LI",

    "name": "Stephanie Badum",

    "email": "abc.def.@demo.com"

  },

  "location": {

    "country": "US",

    "region": "California",

    "city": "Hawthorne",

    "latitude": 33.9168,

    "longitude": -118.3432

  },

  "category": "success",

  "type": "mfa_ok",

  "details": null,

  "client": {

    "os_name": "Windows",

    "os_version": "10.0",

    "ip_address": "2603:8000:7600:c4e1:4db:400b:ff2:6626",

    "app_name": "1Password Browser Extension",

    "app_version": "20216",

    "platform_name": "Chrome",

    "platform_version": "89.0.4389.82"

  },

  "uuid": "EPNGUJLHFVHCXMJL5LJQGXTENA",

  "session_uuid": "UYA65VLTKZAMJAYVODY6BJ36VE",

  "ts": "2022-07-27T22:46:30.312374636Z"

}

Here is the parser assigning it to the UDM schema.

filter {

  json {

    source => "message"

    array_function => "split_columns"

  }

  grok {

      match => {

        "ts" => "%{TIMESTAMP_ISO8601:EventTime}"

      }

      on_error => "time_stamp_failure"

    }

    if [EventTime] != "" {

      date {

        match => ["EventTime", "ISO8601"]

        target => "event.idm.read_only_udm.metadata.event_timestamp"

      }

    }

}

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded