Can't overwrite timestamp through pipeline-rule

jan · October 31, 2018, 10:15am

You make it to complex:

rule "correct timestamp for logs from IIS"
when
    contains(
            value: to_string($message.type), 
            search: "iis",
            ignore_case: true)
    AND has_field(field: "log_timestamp")
then
    let log_timestamp = $message.log_timestamp;
    let timestamp = $message.timestamp;
   
    debug(value: concat(
                    first: "timestamp before changing: ",
                    second: to_string(timestamp)));
	debug(value: concat(
                    first: "log_timestamp: ",
                    second: to_string(log_timestamp)));
	
    let time = parse_date( value: to_string(log_timestamp),
                           pattern: "yyyy-MM-dd HH:mm:ss Z");
                           
    set_field("timestamp", time)

	debug(value: concat(
                    first: "After changing: ",
	                second: to_string(timestamp)));
end

just parse the date you want to have and then set the parsed as time - graylog/elasticsearch will take care that the time is formatted in the right way.

The above should work, not sure about the debug statements.

Topic		Replies	Views
Replacing default Graylog timestamp via Pipeline Processor Graylog Central (peer support) pipeline-rules , debuggingpl	13	11131	March 25, 2019
Pipeline rule not working on rewrite of timestamp Graylog Central (peer support) pipeline-rules , route-to-streampl	6	1071	September 18, 2018
Timestamp can't be replaced Graylog Central (peer support)	2	586	December 10, 2019
Graylog timestamp issue for filebeat logs Graylog Central (peer support)	6	725	January 4, 2019
Pipeline parsing and setting correct timestamp Graylog Central (peer support) pipeline-rules	11	13324	July 20, 2017

Can't overwrite timestamp through pipeline-rule

Related topics