Class: LogStash::Codecs::CEF::TimestampNormalizer

Inherits:

Object

Object
LogStash::Codecs::CEF::TimestampNormalizer

show all

Defined in:: lib/logstash/codecs/cef/timestamp_normalizer.rb

Overview

The CEF specification allows a variety of timestamp formats, some of which cannot be unambiguously parsed to a specific points in time, and may require additional side-channel information to do so, namely:

- the time zone or UTC offset (which MAY be included in a separate field)
- the locale (for parsing abbreviated month names)
- the year (assume "recent")

This normalizer attempts to use the provided context and make reasonable assumptions when parsing ambiguous dates.

Instance Method Summary collapse

#initialize(locale: nil, timezone: nil, clock: Clock.systemUTC) ⇒ TimestampNormalizer constructor

A new instance of TimestampNormalizer.
#normalize(value, device_timezone_name = nil) ⇒ Time

Constructor Details

#initialize(locale: nil, timezone: nil, clock: Clock.systemUTC) ⇒ `TimestampNormalizer`

Returns a new instance of TimestampNormalizer.

# File 'lib/logstash/codecs/cef/timestamp_normalizer.rb', line 26

def initialize(locale:nil, timezone:nil, clock: Clock.systemUTC)
  @clock = clock

  java_locale   = locale ? get_locale(locale) : Locale.get_default
  java_timezone = timezone ? ZoneId.of(timezone) : ZoneId.system_default

  @cef_timestamp_format_parser = DateTimeFormatter
                                     .ofPattern("MMM dd[ yyyy] HH:mm:ss[.SSSSSSSSS][.SSSSSS][.SSS][ zzz]")
                                     .withZone(java_timezone)
                                     .withLocale(java_locale)
end

Instance Method Details

#normalize(value, device_timezone_name = nil) ⇒ `Time`

Parameters:

value (String, Time, Numeric) —

The value to parse. ‘Time`s are returned without modification, and `Numeric` values are treated as millis-since-epoch (as are fully-numeric strings). Strings are parsed unsing any of the supported CEF formats, and when the timestamp does not encode a year, we assume the year from contextual information like the current time.
device_timezone_name (String, nil) (defaults to: nil) —

(optional): If known, the time-zone or UTC offset of the device that encoded the timestamp. This value is used to determine the offset when no offset is encoded in the timestamp. If not provided, the system default time zone is used instead.

Returns:

(Time)

# File 'lib/logstash/codecs/cef/timestamp_normalizer.rb', line 52

def normalize(value, device_timezone_name=nil)
  return value if value.kind_of?(Time)

  case value
  when Numeric                    then Time.at(Rational(value, 1000))
  when INTEGER_OR_DECIMAL_PATTERN then Time.at(Rational(value, 1000))
  else
    parse_cef_format_string(value.to_s, device_timezone_name)
  end
end