How to split timestamp to date AND time

Stupid question maybe, but I have scratched my face to this stupid wall enough today…

from this:
timestamp: 2020-03-25 10:34:00 +02:00 (hower shows it like 2020-03-25T08:34:00.191Z)

to these:
date: 2020-03-25
time: 10:34:00 (or 10:34:00.191)

NOW I have this pipeline:

rule “split_timestamp”
when
has_field(“timestamp”)
then
let stamp = regex(("(^.)T(.)"),to_string($message.timestamp));

set_field("date", to_string(stamp["0"]));
set_field("time", to_string(stamp["1"]));
//set_field("ts_minute", $message.timestamp.minuteOfHour);
//set_field("ts_second", $message.timestamp.secondOfMinute);

end

But the resulting is (not from same logrow, but You see the format:
date: 2020-03-25 00:00:00 +02:00 (hovers “correctly” 2020-03-25)
time: 08:34:00.191Z (can leave the Z by altering pipeline regex)

Graylog internally store timestamps as UTC, and show it as timezone you setup (based on user account profile settings). If you login as admin user, check if you have setup correct timezone in server.conf file:

Change line:
root_timezone = Europe/Bratislava

or similar to your real timezone, and restart graylog service.

If you use another user (as admin), chcek your timezone settings in your use profile.

I did this with extractors and not pipelines, but I’m sure you can modify… the grok patterns in Graylog weren’t enough, so I created 2 new ones based off existing ones and then used them in my extractor.

Grok Pattern TS-YMND (TimeStamp-YearMonthNumDay)
TS_YMND (?>\d\d){1,2}/-/-

Grok Pattern Time_HMSu (HoursMinutesSecondsMicroseconds)
Time_HMSu (?!<[0-9])(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9])(?::(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))(?![0-9])

finaly I created an extractor that looks like this:
%{TS_YMND:MessageDate}T%{Time_HMSu:MessageTime}%{ISO8601_TIMEZONE:ISO-Timezone}

ISO8601_TIMEZONE is a builtin and is optional… I use both…so you could probably just use

%{TS_YMND:MessageDate}T%{Time_HMSu:MessageTime}

hth…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.