So I have a device that will not allow me to adjust the syslog timestamp. As a result, it only sends the message with UTC. As a result, if I want to find the messages that this device has sent, I have to select an absolute time reference and set the search time to the current time in UTC. Once I do this, the messages do return, but if I select last 5 minutes, they do not return. Even if I select “ALL MESSAGES” those messages from the device do not return.
Why does the relative time reference not take into account the messages that were received from this device with the UTC timestamp? Could I have a configuration issue? Is this a bug?
you would need to correct the timestamp of the messages with extractors or the processing pipelines.
I guess the syslog messages did not include timezone information but as written it is possible to correct that. This community board include some posts that had that explained.
One example to correct the time with a processing pipeline rule could be:
rule "cisco (3.3) correct timestamp NEXUS"
// we want to create ISO8601 Timestamps
// make '2015 Feb 15 13:33:22.111' ISO8601
when
has_field("cisco_message") AND
has_field("log_date") AND
grok(pattern: "%{YEAR} %{MONTH} %{MONTHDAY} %{TIME}", value:to_string($message.log_date)).matches == true
then
let time = parse_date(value:to_string($message.log_date), pattern:"yyyy MMM dd HH:mm:ss.SSS", timezone:"UTC");
set_field("timestamp",time);
end
Is it worth putting in a bug or would this be considered an expected limitation. If nothing else, perhaps the label “all messages” should be changed. Seems confusing and would’ve saved me a lot of time trying to figure out why messages were showing up 4 hours late.
