2082_filter_section_h_extract_stopwatch.conf

filter {
  if [type] == "mod_security" {

    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    # Promote raw "stopwatch" in section H
    # to a real date. The value is in microseconds
    # since epoch (convert to seconds) then
    # run through logstashes' routine. The result
    # of this is that the logstash @timestamp is converted
    # to be the modsec stopwatch timestamp value. We
    # also retain the milliseconds and seconds fields
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    grok {
      match => {
        "rawSectionH" => "Stopwatch: %{WORD:event_date_microseconds}"
      }
    }

    mutate {
      convert => [ "event_date_microseconds", "float" ]
    }

    # micro -> milli
    ruby {
      code => "
          event_date_milliseconds = (event.get('event_date_microseconds').to_i / 1000.0)
          event.set('event_date_milliseconds', event_date_milliseconds)
        "
    }

    # milli -> seconds
    ruby {
      code => "
          event_date_seconds = (event.get('event_date_milliseconds').to_i / 1000.0)
          event.set('event_date_seconds', event_date_seconds)
        "
    }

    # NOTE!, this forces the event's @timestamp to be = to the stopwatch value
    date {
      match => [ "event_date_seconds", "UNIX" ]
      timezone => "GMT"
    }

    # a second copy of a iso8601 date
    ruby {
      code => "
          event.set('event_timestamp', (Time.at(event.get('event_date_seconds')).gmtime).iso8601(3))
        "
    }
  }
}