Different Timestamp in Search and in Enterprise Search

Hello,

I installed Graylog 3.0, first I configured open source version, for my logs I override timestamp with pipelines, and its all work (Message Filter Chain -> Pipeline Processor). After this I decided to check enterprise version ( need to use Views), and I encountered an error.
In Enterprise/Extended Search timestamp is not override. I view the time when the logs came to the server ( so its not override via pipelines). So I have a different time for logs in Search and in Enterprise Search, can i fix this issue ? Or how I can to debug this?

Thank for answering me

P.S. Excuse me for my not perfect english.

Could you please post some screenshots of the same messages in both searches that demonstrate your finding?

thx

Yes, of cause.

Graylog2.png1852×700 75.2 KB

Graylog.png1850×927 134 KB

Thank you.
P.S. My timestamp in epoch format, I use pipelines to convert to Date format, and change timestamp field.

Is this offset/difference of ~3 minutes the same for all messages?

Can you post the pipeline rule(s) you are using?

Yes, it is the same for all messages, in search I override timestamp and the time of log is right after pipeline, in enterprise search I think graylog-server give to log own timestamp.

rule “parse event timestamp”
when
true
then
let timestamp_date= parse_unix_milliseconds(to_long($message.time)*1000);
let timestamp_format = format_date(timestamp_date,“yyyy-MM-dd HH:mm:ss.SSSZ”);
set_field(“timestamp”, timestamp_format);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.