I don’t know if you solved your problem or not - but my Stage 0 for Fortinet devices (almost all have the weird timestamp):
rule "fortigate timestamp"
when
(has_field("devname") && has_field("date") && has_field("time")) or
(has_field("device_id") && contains(to_string($message.device_id), "FNTORONTO1", true) && has_field("date") && has_field("time")) or
(has_field("device_id") && contains(to_string($message.device_id), "FNTORONTO2", true) && has_field("date") && has_field("time"))
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_timestamp = parse_date(value:to_string(build_message_1), pattern:"yyyy-MM-dd HH:mm:sss", timezone:"America/Toronto");
set_field("timestamp", new_timestamp);
end
I add one for the devices in each timezone as they don’t typically change in/out too often.
EDIT: I was also advised to use the rename function in the past, I just haven’t revisited this in awhile and I know the above works in our environment.