Nginx log access time stamps cannot be converted

Hi
My nginx log access timestamp cannot be converted. The nginx log format I used is in JSON format, as shown in the figure below:

In the above figure, I import a past log information, and the timestamp cannot be changed to the past.

nginx timestamp ”08/Apr/2018:14:39:07 +0800” unable to convert “2018-04-08T14:39:07Z”

I use the pipeline but I can’t always convert success.
pipeline rules:

rule “parse event timestamp”
when
true
then
let new_date = to_date(to_string($message.event_ts), “yyyy-MM-dd’T’HH:mm:ss Z”);
set_field(“event”, new_date);
end

How do I configure it?

The date pattern you’re using in to_date() is not the pattern used in the “event_ts” field.

Additionally, you have to use parse_date() instead of the to_date() function, also see http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#overview.

use parse_date()

Your date pattern is incorrect.

How do I write my data pattern

See http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#parse-date.

Hi
I have solved the problem.

Because I let the nginx log format was introduced into graylog json format, so after using json format resolution timestamp field is a string is not a time format, which is not directly use in time format.

It is only necessary to change the timestamp in the log to the time format.
I am using pipeline in graylog.
The pipeline rules are as follows:

rule "parse timestamp"
when
    true
then
    let ngx_timestamp=grok("%{HTTPDATE:timestamp;date;dd/MMM/yyyy:HH:mm:ss Z}", to_string($message.timestamp), true); //use grok rule
    set_fields(ngx_timestamp);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.