Log timestamp vs graylog one

my application log send json with timestamp key . How I can distinguish between the log one and the graylog ingestion timestamp?

I tried to add an extractor but it seems that the only timestamp that I can get is the graylog one
Is possible to change the graylog timestamp key?

We do something you might need with a grok pattern, the timestamp is put into the graylog timestamp field, in our case the timestamp matches the graylog one:

rule "Parse - messages"
    // Use routing message to select messages
    to_string($message.message_route) == "logging_route"
let pf = grok(
    pattern: "%{TIMESTAMP_ISO8601:timestamp} %{INT:UNWANTED} *%{WORD:app_loglevel} %{NOTSPACE:app_thread} %{WORD:app_threadname} -%{GREEDYDATA:app_statusmessage}",
    value: to_string($message.message),
    only_named_captures: true
// Add Parse field for easier message tracing
set_field("parse","Parse - app_logging");

Good luck.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.