our apachelog format is a heavily customized and I do have a grok extractor in graylog that parses it, one of the fields we parse is epoch in microseconds, I’d like that to be in a human readable form.
what’s the best way to go about it?
I don’t think I need GELF and make a template in rsyslog to forward it like that, rsyslog sends a json field with “message” containing the apache log string, it wouldn’t handle that field anyways.
do I need a processing pipeline or can I just have the grok pattern handle the conversion of that apache log string field as it’s extracted from the “message”?
Try to use pipeline rule like this, which uses function parse_unix_milliseconds() and I divide epoch in microseconds by 1000 to get miliseconds required by pipeline function.
rule "Epoch Convert"
when
has_field("eventtime")
then
let ts_millis = to_long($message.eventtime) / 1000;
let new_date = parse_unix_milliseconds(ts_millis);
set_field("epoch_timestamp", new_date);
//set_field("timestamp", new_date);
end
Replace eventtime with your real field which contains epoch in microseconds. Uncomment line //set_field("timestamp", new_date); if you want to replace timestamp field by epoch in apache.
