We do something you might need with a grok pattern, the timestamp is put into the graylog timestamp field, in our case the timestamp matches the graylog one:
rule "Parse - messages"
when
// Use routing message to select messages
to_string($message.message_route) == "logging_route"
then
let pf = grok(
pattern: "%{TIMESTAMP_ISO8601:timestamp} %{INT:UNWANTED} *%{WORD:app_loglevel} %{NOTSPACE:app_thread} %{WORD:app_threadname} -%{GREEDYDATA:app_statusmessage}",
value: to_string($message.message),
only_named_captures: true
);
set_fields(pf);
// Add Parse field for easier message tracing
set_field("parse","Parse - app_logging");
end