Match Message Against a timestamp RegEx

shoothub · August 4, 2021, 3:28pm

Your pipeline rule have some problems:

You use wrong $message definition, try use to_string($message.message)
You need to use index or name or group to point to regex result.

Replace line:
let new_date = parse_date(result, "yyyy-MM-dd'T'HH:mm:ss","IST");
with:
let new_date = parse_date(result["0"], "yyyy-MM-dd'T'HH:mm:ss","IST");
Functions — Graylog 4.1.0 documentation

Your format in parse_date function missing milliseconds
Functions — Graylog 4.1.0 documentation

So try this one:

rule "replace timestamp"
when
    true
then
    let result = regex("([0-9-T.:]+)", to_string($message.message));
    let new_date = parse_date(to_string(result["0"]), "yyyy-MM-dd'T'HH:mm:ss.SSS","IST");
    set_field("timestamp", new_date);
end

Topic		Replies	Views
Pipeline parsing and setting correct timestamp Graylog Central (peer support) pipeline-rules	11	13308	July 20, 2017
Pipeline for timestamp Graylog Central (peer support)	6	3743	April 19, 2018
Struggling With Timestamp conversion Graylog Central (peer support) pipeline-rules , timestamp	4	25	September 6, 2024
Replacing default Graylog timestamp via Pipeline Processor Graylog Central (peer support) pipeline-rules , debuggingpl	13	11117	March 25, 2019
Parse date from string in pipeline rule Graylog Central (peer support) pipeline-rules , docker	3	1246	May 30, 2023

Match Message Against a timestamp RegEx

Related Topics