Extract Timestamp from Log and apply it to the index

menueco · April 20, 2018, 1:04pm

My logs have timestamps in this format: 20/Apr/2018:08:12:54 +0000

I’m using %{HTTPDATE:log_timestamp} to extract them which seems to work because Graylog shows me this field after reading the messages. Now I want to apply a rule to the imported messages to use the log timestamp instead of the import timestamp in the index.

I tried with the following rule:

rule "timestamp-to-log-timestamp"
when
  has_field("log_timestamp")
then
  let new_ts = parse_date(to_string($message.log_timestamp), "dd/MMM/yyyy':'HH:mm:ss +Z");
  set_field("timestamp", new_ts);
end

But this does not work. Could anybody help me out with that rule?

Thanks!

jochen · April 20, 2018, 1:23pm

You can convert that directly into a proper timestamp:
http://docs.graylog.org/en/2.4/pages/extractors.html#using-grok-patterns-to-extract-data (pretty much at the bottom of that section)

The date pattern is wrong.
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#parse-date

system · May 4, 2018, 1:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Searching imported logs by log timestamp, not time Graylog received the log Graylog Central (peer support) pipeline-rules , dump-messagespl	14	13260	April 23, 2022
Use Timestamp of logfiles Graylog Central (peer support)	4	4616	August 23, 2018
Extract date from message Graylog Central (peer support)	3	5045	April 21, 2017
Timestamp issue Graylog Central (peer support)	4	1476	March 22, 2018
Extract timestamp from message Graylog Central (peer support)	6	4309	March 22, 2021

Extract Timestamp from Log and apply it to the index

Related topics