I am a beginner and getting acquainted with GrayLog features.
I have an incoming stream of messages in format that starts with “[2021-05-12T13:01:11.123]”, I can match this sequence with expression: ([0-9-T.:]+). I want to replace the timestamp in GrayLog with this matched string. I am creating a rule in a pipeline for this stream.
rule "replace timestamp"
when
true
then
let result = regex("([0-9-T.:]+)", $message);
let new_date = parse_date(result, "yyyy-MM-dd'T'HH:mm:ss","IST");
set_field("timestamp", new_date);
end
It throws errors due to the regex expression when applying and saving.
rule "replace timestamp"
when
true
then
let result = regex("([0-9-T.:]+)", to_string($message.message));
let new_date = parse_date(to_string(result["0"]), "yyyy-MM-dd'T'HH:mm:ss.SSS","IST");
set_field("timestamp", new_date);
end