I’ve already seen that this topic has been worked on multiple times on this forum, but non of the existing threads could help me. So here we go again!
Graylog Version: Virtual Machine Appliance 3.3.2
I’m trying to parse the original log-timestamp (log4j java logs) from the log line into Graylog. What I’ve done so far:
- setup grok extractor to parse the timestamp into a seperate field called “timestamp_new”
- setup pipeline to write the timestamp from “timestamp_new” into “timestamp”
- changed execution order of “message filter chain” and “pipeline processor”, so that the message chain is executed before the pipelines
This is my pipeline:
rule "set-log-timestamp" when true then debug("timestamp_new " + to_string($message.timestamp_new)); debug("timestamp " + to_string($message.timestamp)); set_field("timestamp", $message.timestamp_new); debug("timestamp: " + to_string($message.timestamp)); end
The weird thing is, that when i’m checking the graylog-logs i do see the following:
... timestamp_new 2020-08-14 17:31:56,473 ... timestamp 2020-08-14T15:31:58.0242 ... timestamp: 2020-08-14 17:31:56,473
This looks to me like it’s working? But when checking graylog-webinterface the timestamps are still wrong.
Furthermore I’m asking myself if this is the best practice solution for this problem?