Pipeline rule on ingested JSON data via Filebeat and NDJSON parser

gsmith · March 13, 2023, 10:41pm

Hello && Welcome @foobug

Correct me if I’m wrong you need a pipe for epoch time? if so here is an example

rule "Jira | Replace @timestamp with application.audit.timestamp.epochSecond for audit logs"
when
    true
then
  let ts_millis = to_long($message.application.audit.timestamp.epochSecond) / 1000000;
  let new_date = parse_unix_milliseconds(ts_millis);
  set_field("epoch_timestamp", new_date);
  set_field("timestamp", new_date);
end

divide unix timestamp in nanoseconds by 1000000 and you have miliseconds. Then use it in function parse_unix_milliseconds()

Some findings;

Topic		Replies	Views
Pipeline grok syntax Graylog Central (peer support)	4	5690	December 19, 2017
Messages not affected by pipeline Graylog Central (peer support) pipeline-rules , debuggingpl , sidecar , filebeat-windows	2	727	July 22, 2021
RHEL 7, Graylog 2.3 and 2.4: only raw input for linux beats and its parsing Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	5	552	February 5, 2020
Extract Json via Pipeline Graylog Central (peer support)	6	1829	August 8, 2022
Pipelines, JSON, array for tags Graylog Central (peer support)	6	832	February 24, 2023

Pipeline rule on ingested JSON data via Filebeat and NDJSON parser

Related Topics