This is only one runtime field from our repository. Also visit the complete Elastic runtime field repository to get the full overview of whats possible.

Manipulating the time can be very useful for many different use cases. You can improve your visualizations and insides into your data by calculating the hour-of-day or the day-of-week. Manipulate time painless features could be also usedd to influence the timestamp itself for improved timezone management or fixing time shift issues. Another important use case is to calculate the duration between two different timestamps. Lets say you have a timestamp for log creation and another for the creation of the document in Elasticsearch. Knowing the duration between those two events can help to identify issues in your ingest pipelines. For all of this use cases you can use also runtime fields. The main advantage is that you can test your new field on the fly also with older data.

Using the painless scripting language to calculate your runtime fields provides a lot of possibilities and power to manipulate and work with the time.

The following example calculates the day of week. So you get Monday, Tuesday and so on as a result in your runtime field. This can be very nice to use in visualizations and learn more about the usage patterns e.g. analysing access logs or real user monitoring data.

emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))

The following example calculates the hour of day. Your runtime field will have values from 00 to 24. This is a great way to aggregate your data and learn more about the usage pattern. Our real user monitoring dashboard is using both day of week and hour of day to show when the users typically accessing the web application.

ZonedDateTime date =  doc['@timestamp'].value;
int hour = date.getHour();
if (hour < 10) {
    emit ('0' + String.valueOf(hour));
} else {
    emit (String.valueOf(hour));

The following example is showing how to check the age of an specific document. It is getting the current date and also takes the date of the @timestamp field. This can also be used to calculate durations or to calculate how “old” the document is. All of that can be valid use cases to visualize in Kibana dashboards.

long nowDate = new Date().getTime();
long docDate = doc['@timestamp'].value.toEpochMilli();
long difference = nowDate - docDate;
boolean isOlderThan24hr = false;
if (difference > 86400000) {
    isOlderThan24hr = true;
content share admin

About the author: Creator of the Elastic Content Share.

Leave a Reply

Your email address will not be published.