Parse original log timestamp into Graylog


I’ve already seen that this topic has been worked on multiple times on this forum, but non of the existing threads could help me. So here we go again!

Graylog Version: Virtual Machine Appliance 3.3.2

I’m trying to parse the original log-timestamp (log4j java logs) from the log line into Graylog. What I’ve done so far:

  • setup grok extractor to parse the timestamp into a seperate field called “timestamp_new”
  • setup pipeline to write the timestamp from “timestamp_new” into “timestamp”
  • changed execution order of “message filter chain” and “pipeline processor”, so that the message chain is executed before the pipelines

This is my pipeline:

rule "set-log-timestamp"
    debug("timestamp_new " + to_string($message.timestamp_new));
    debug("timestamp " + to_string($message.timestamp));
    set_field("timestamp", $message.timestamp_new);
    debug("timestamp: " + to_string($message.timestamp));

The weird thing is, that when i’m checking the graylog-logs i do see the following:

... timestamp_new 2020-08-14 17:31:56,473
... timestamp 2020-08-14T15:31:58.0242
... timestamp: 2020-08-14 17:31:56,473

This looks to me like it’s working? But when checking graylog-webinterface the timestamps are still wrong.

Any idea?
Furthermore I’m asking myself if this is the best practice solution for this problem?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.