I’m working with rules in the pipelines. I’m trying to get the proper date into Graylog based on the date in the syslog message.
My Aruba messages are similar to this: <139>Feb 3 10:12:24 2022 mobility01 authmgr: <132197> <ERRS> <mobility01 192.0.2.5> Maximum number of retries was attempted for station 8c:fc:5a:92:53:d4
Here’s where I landed. Thank you @gsmith for your help.
let message_time_str = concat(to_string(extract_1.message_timestamp), to_string(extract_1.year));
let date_time_object = parse_date(
pattern: "MMM dd HH:mm:ssYYYY",
This process gets the year in there and sets the timezone correctly. Finally, it overwrites the timestamp field that used to hold the timestamp of when Graylog received the message (the default) but I want it to hold the timestamp that was put into the original syslog message.
I find I’m frequently using the to_string() function and things break down when I don’t use it. Doesn’t it already know it’s a string!? I grew up using Pascal and C++. How the system doesn’t already know it’s a string is beyond me.