I am setting up application which could read events from graylog_* indices and help me in further cofiguration.
The config file of the application detect TIMESTAMP of below parameters hence would like to know what field should be added or opted which matches exactly the way graylog offers the time.
These fields will be extracted from all processed events, and added as new fields in case an outlier event is found.
The format for the new field will be: outlier.<field_name>, for example: outliers.initials
The format to use is GROK. These fields are extracted BEFORE the analysis happens, which means that these fields can also be used as for example aggregators or target
s in use cases.