Hi Team,

I am setting up application which could read events from graylog_* indices and help me in further cofiguration.

The config file of the application detect TIMESTAMP of below parameters hence would like to know what field should be added or opted which matches exactly the way graylog offers the time.

[derivedfields]

These fields will be extracted from all processed events, and added as new fields in case an outlier event is found.

The format for the new field will be: outlier.<field_name>, for example: outliers.initials

The format to use is GROK. These fields are extracted BEFORE the analysis happens, which means that these fields can also be used as for example aggregators or target

s in use cases.
timestamp=%{YEAR:timestamp_year}-%{MONTHNUM:timestamp_month}-%{MONTHDAY:timestamp_day}[T ]%{HOUR:timestamp_hour}:?%{MINUTE:timestamp_minute}(?::?%{SECOND:timestamp_seco
nd})?%{ISO8601_TIMEZONE:timestamp_timezone}?

Hi,

if you connect directly to elasticsearch to read the graylog_* indices, you can check directly the Elasticsearch field mappings for that field. See https://www.elastic.co/guide/en/elasticsearch/reference/5.2/indices-get-field-mapping.html

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.