When I click on the parameter in the web ui message view, Graylog reports it as a “compound(date,string)”.
This indicate that you have the same field name in different indices as date OR string. Means over the time of searching you have some indices that holds a date and some that holds a string.
This seems to indicate that Graylog isn’t consuming it as a timestamp that includes date and time. While I’m able to search by date range, it doesn’t seem to recognize the time as well. I have full control of the value being sent, so I can format it however I want. So, my question is simply whether there is a particular timestamp format that is directly consumable by Graylog so that it will recognize the full date+time value. And, is there a place in the documentation I’ve missed that would give information about this? I’d certainly be willing to read up on it, if I’ve missed it.
If the time is send consistence in a field as date (as you did) and you do not have other messages that use the same field name but send strings this will happen. What you could always do is create a custom mapping for your indices in elasticsearch to force this field to be a date field and as long as the date is something that elasticsearch can ingest the message will be accepted, otherwise it would be dropped.