Why on earth is the displayed information different from the Debug? Still shows UTC.
Script:
rule “Local Time Addition”
when
has_field(“winlogbeat_@timestamp”)
then
let new_date = parse_date(to_string($message.“winlogbeat_@timestamp”), “yyyy-MM-dd’T’HH:mm:ss.SSSZ”, “CA”, “EST”);
debug(new_date);
set_field(“local_time”, new_date);
end
You see in the debug function the timezone added to the timestamp. I guess you are working with the build in “admin” user? That has set the default timezone to UTC.
The timezone of the user is used to transform every timestamp in the UI to the users local time. What is for the admin user - UTC.
Use a different user and change the timezone to the wanted and it will work like it should.
Thanks for getting back to me. So I logged using a different user with the right timezone on the UI and the ssh as well (I checked with the ‘date’ command) and I am having the same result.
What I am trying to achieve is to send an email notification with a field containing the local time timestamp of the event.
If you look at the picture, the field called Timestamp seems correct but it’s just Graylog displaying it in the UI. Trying to use it in a function and it only send the underlying UTC time.
That’s why I am using this pipeline function to append a new field ‘local_time’ to the message that I can use for my email notifications. It seems to work as per the debugging but on the display and in the email, it still shows in UTC. What am I doing wrong?