Is it safe to say that the timestamp field for a event is most accurately stated as the timestamp of when the Graylog node processed that event? Not the time of receipt of the event, by Graylog, nor the time the event was generated on the originating system.
During spikes in incoming events our nodes might fall behind for a few minutes to a few hours, queuing up on the disk journal. Example here being firewall logs during DDoS attack, attempting to do research we realized that the timestamp field does not match what is in the message/full_message body, as sent over from the Cisco ASA. It reflects the time at which one of our Graylog nodes finally processed and indexed the message. This makes after-action research much more difficult.
Can I override the timestamp field with say a grok or regex extractor from message or full_message? I put one in place earlier today but the timestamp field still reflects processed time on the Graylog node, not timestamp from the firewall in the message/full_message fields.