Display timestamp through "split and index"

lquin1978 · October 21, 2017, 7:37pm

I have created an extractor using “split and index” whereby the message time stamp is split up into the date and then the time. (At the moment I am just trying to display the time). I saved this into a field called timestamp, but I am unable to call this message in a notification. (the split works fine in the extraction tool)

I have tried the following lines but it will not display, I just get the error shown below:

Date: {message.timestamp.date_syslog} Date: {message.timestamp.fields.date_syslog}

The Graylog server encountered an error while trying to send an email. This is the detailed error message: com.floreysoft.jmte.message.ParseException: Error while parsing ‘message.timestamp.date_syslog’ at location (14:9): Property ‘date_syslog’ on object ‘2017-10-21T19:28:19.606Z’ can not be accessed: “java.lang.NoSuchFieldException: date_syslog”!

jochen · October 22, 2017, 10:12am

The error message simply says that not all messages triggering the alert have the referenced field “date_syslog”.

lquin1978 · October 22, 2017, 1:08pm

okay thanks., so when I open a syslog message there is a timestamp, although it is not part of the message stream. How do I include this timestamp?

jochen · October 22, 2017, 1:15pm

Taking a closer look on your template from the first post, you’re not using the template variables correctly.

The part of your template should probably be as follows:

Date: {message.fields.date_syslog}

But alas it’s hard to say without knowing the configuration of your extractor(s) and some messages you’re processing.

lquin1978 · October 22, 2017, 3:04pm

Its a syslog message that contains no timestamp in the actual message, but I noticed when I open the message graylog adds a timestamp. How do I reference this timestamp in a notification?

jochen · October 22, 2017, 3:32pm

Either ${message.timestamp} (because it’s a special field like message and source) or ${message.fields.timestamp} (if you want to stay consistent with field access to other message fields).

lquin1978 · October 22, 2017, 3:38pm

Great, thank you so much… that worked… however I have one last question. How can I do the following

go from:
DATE: 2017-10-22T15:36:52.117Z
to:
DATE: 2017-10-22
TIME: 15:36:52

jochen · October 23, 2017, 6:24pm

Unless there are fields containing that very information (and nothing else), that’s not possible.

You can only reference complete message fields in the email template, but not parts of fields or execute operations on them.

lquin1978 · October 24, 2017, 12:59pm

I created a extractor based on time stamp (split and index) and was able to get this information seperated, but I don’t know how to reference it in the template

lquin1978 · October 24, 2017, 2:13pm

Nevermind… figured it out… thanks so much for your help!!! you have been great.

system · November 7, 2017, 2:14pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use Timestamp of logfiles Graylog Central (peer support)	4	4467	August 23, 2018
Extract date from message Graylog Central (peer support)	3	4929	April 21, 2017
Timestamp converter fails when extra space present Graylog Central (peer support)	8	2525	August 25, 2017
Extract Timestamp from Log and apply it to the index Graylog Central (peer support)	2	3763	May 4, 2018
Graylog: one hour time difference between raw and syslog message Graylog Central (peer support)	5	2394	December 25, 2019

Display timestamp through "split and index"

Related Topics