Hey,
I’ve already seen that this topic has been worked on multiple times on this forum, but non of the existing threads could help me. So here we go again!
Graylog Version: Virtual Machine Appliance 3.3.2
I’m trying to parse the original log-timestamp (log4j java logs) from the log line into Graylog. What I’ve done so far:
- setup grok extractor to parse the timestamp into a seperate field called “timestamp_new”
- setup pipeline to write the timestamp from “timestamp_new” into “timestamp”
- changed execution order of “message filter chain” and “pipeline processor”, so that the message chain is executed before the pipelines
This is my pipeline:
rule "set-log-timestamp"
when
true
then
debug("timestamp_new " + to_string($message.timestamp_new));
debug("timestamp " + to_string($message.timestamp));
set_field("timestamp", $message.timestamp_new);
debug("timestamp: " + to_string($message.timestamp));
end
The weird thing is, that when i’m checking the graylog-logs i do see the following:
... timestamp_new 2020-08-14 17:31:56,473
... timestamp 2020-08-14T15:31:58.0242
... timestamp: 2020-08-14 17:31:56,473
This looks to me like it’s working? But when checking graylog-webinterface the timestamps are still wrong.
Any idea?
Furthermore I’m asking myself if this is the best practice solution for this problem?