I want to change the graylog timestamp as in my log timestamp,how can i do it with “pipelines”
sample log:- “2018-12-20 00:44:29 @It’s easy to get Azure App Services to e-mail you if something bad happens with your app.”
when i try to add pipeline rule it shows error
rule “timestamp”
when
has_field(“transaction_date”)
then
let current_year = now().year;
let ts_string = concat(to_string(current_year), concat(" ", to_string($message.timestamp)));
let new_date = parse_date(to_string($message.timestamp),“yyyy-MMM-dd HH:mm:ss”,“Asia/Kolkata”);
set_field(“timestamp”, new_date);
end
Have you parsed the message already so that the transaction_date field exists? If not, do that first.
The rest of your rule, you can forget about current_year and ts_string, they aren’t needed (first 2 lines). The rest of it looks fine - you could alternatively try to flex_parse_date instead.
Hi ,
Thanks for the reply I am new in graylog.can you please tell what are the steps following to change graylog timestamp as log timestamp,I am using filebeat for fetch logs
Sorry guy, but I’m not your support system - read the fine manual, then come back with a properly framed question. If you’re unable or unwilling to do that, I find myself unable (and unwilling) to answer questions.
