Graylog timestamp issue for filebeat logs


(pradeep) #1

I want to change the graylog timestamp as in my log timestamp,how can i do it with “pipelines”

sample log:- “2018-12-20 00:44:29 @It’s easy to get Azure App Services to e-mail you if something bad happens with your app.”

when i try to add pipeline rule it shows error

rule “timestamp”
when
has_field(“transaction_date”)
then
let current_year = now().year;
let ts_string = concat(to_string(current_year), concat(" ", to_string($message.timestamp)));
let new_date = parse_date(to_string($message.timestamp),“yyyy-MMM-dd HH:mm:ss”,“Asia/Kolkata”);
set_field(“timestamp”, new_date);
end

please help me to done this


(Ben van Staveren) #2

Have you parsed the message already so that the transaction_date field exists? If not, do that first.

The rest of your rule, you can forget about current_year and ts_string, they aren’t needed (first 2 lines). The rest of it looks fine - you could alternatively try to flex_parse_date instead.


(pradeep) #3

Hi ,
Thanks for the reply I am new in graylog.can you please tell what are the steps following to change graylog timestamp as log timestamp,I am using filebeat for fetch logs


(Ben van Staveren) #4

Step 1: Answer the question I asked you in my previous post :wink:
Step 2 through Step X: to be determined based on the answer.

Asking the same question repeatedly will not have the effect you want.


(pradeep) #5

no! how can i parse those messages ? this are my logs


(Ben van Staveren) #6

Sorry guy, but I’m not your support system - read the fine manual, then come back with a properly framed question. If you’re unable or unwilling to do that, I find myself unable (and unwilling) to answer questions.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.