Odd search behaviour (time related)

benvanstaveren · February 5, 2019, 11:47am

Okay, this is getting interesting. I modified the pipeline to add some intermediate fields and I found the following:

Original log message contains a JSON field with a timestamp of 2019-02-05 11:20:10.396

It’s handled as follows:

let fields = select_jsonpath(parsed_tree, {  new_ts: "$.Time" });
set_field("test_ts", to_string(fields.new_ts));
let ts = parse_date(to_string(fields.new_ts), "YYYY-MM-DD HH:mm:ss.SSS", "UTC");
set_field("timestamp", ts);

What happens when I look at a stored message is fun:

test_ts field in the message contains the correct parsed date: 2019-02-05 11:20:10.396
timestamp field in the message contains: 2019-01-05 11:20:10.396

It seems that somewhere along the line, there’s an off-by-one error on the month and I have no idea where the heck this is coming from.

Topic		Replies	Views
Still having timestamp issues Graylog Central (peer support) pipeline-rules	4	2805	July 18, 2019
All messages search doesn't seem to include "all messages" Graylog Central (peer support)	7	1901	August 22, 2018
Search timestamp range is complete wrong Graylog Central (peer support)	1	349	January 2, 2021
New user - Time question Graylog Central (peer support)	3	455	February 11, 2019
Chart time is off? Graylog Central (peer support)	6	1623	July 1, 2020

Odd search behaviour (time related)

Related topics