Date Processing

Here’s where I landed. Thank you @gsmith for your help.

    let message_time_str = concat(to_string(extract_1.message_timestamp), to_string(extract_1.year));
    let date_time_object = parse_date(
        value: to_string(message_time_str), 
        pattern: "MMM dd HH:mm:ssYYYY",
        timezone: "US/Eastern"
        );
        
    set_field("timestamp", date_time_object);

This process gets the year in there and sets the timezone correctly. Finally, it overwrites the timestamp field that used to hold the timestamp of when Graylog received the message (the default) but I want it to hold the timestamp that was put into the original syslog message.

I find I’m frequently using the to_string() function and things break down when I don’t use it. Doesn’t it already know it’s a string!? I grew up using Pascal and C++. How the system doesn’t already know it’s a string is beyond me. :wink:

1 Like