When using new_event_on_match with elapsed filter a new event is created, with a fresh timestamp. The Aggregate filter adds a new event with a fresh timestamp as well.
I would like to use the timestamp from the original events, which is now available in the field elapsed_timestamp_start. How can I replace @timestamp in the newly created event?
Can I use a Date filter inside an Elapsed filter?
For starters, just note that only the elapsed filter creates a new event, the aggregate filter doesn't and will push whatever information has been aggregated so far into the last event.
In order to provide some context, the previous question you're referring to is this one.
You can achieve what you want, simply by adding a date filter just after the last elapsed filter, so as to modify the event newly created by the upstream elapsed filter. Also note that we first need to convert the elapsed_timestamp_start field to a string before trying to match the date because it's a Logstash timestamp object (created by the elapsed filter)
if "elapsed" in [tags] {
mutate {
convert => {"elapsed_timestamp_start" => "string"}
}
date {
match => ["elapsed_timestamp_start", "ISO8601"]
}
}
