Extract Timestamp from Log and apply it to the index


#1

My logs have timestamps in this format: 20/Apr/2018:08:12:54 +0000

I’m using %{HTTPDATE:log_timestamp} to extract them which seems to work because Graylog shows me this field after reading the messages. Now I want to apply a rule to the imported messages to use the log timestamp instead of the import timestamp in the index.

I tried with the following rule:

rule "timestamp-to-log-timestamp"
when
  has_field("log_timestamp")
then
  let new_ts = parse_date(to_string($message.log_timestamp), "dd/MMM/yyyy':'HH:mm:ss +Z");
  set_field("timestamp", new_ts);
end

But this does not work. Could anybody help me out with that rule?

Thanks!


(Jochen) #2

You can convert that directly into a proper timestamp:
http://docs.graylog.org/en/2.4/pages/extractors.html#using-grok-patterns-to-extract-data (pretty much at the bottom of that section)

The date pattern is wrong.
http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#parse-date


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.