Logstash - Augmenting events with day of week and day of month

It is useful sometimes to have day of week and day of month in fields that are separate from the @timestamp so we can make aggregations or even machine learning jobs to find a potential correlation between your events and weekdays.

In Logstash you can add the following to your pipeline:

    input {...}
    filter {

        date {...} #your timestamp

        mutate {
            add_field => {"[day_of_week]" => "%{+EEE}"}
            add_field => {"[day_of_month]" => "%{+d}"}
    output {...}

The result is that Logstash will extract the values from the current @timestamp using the same syntax used in the date filter.

We could also have the week day in full, using %{EEEE}. You can see the whole syntax here.

Written on May 28, 2018