Hey Team,
I am attempting to create a pipeline rule that will convert a received Zulu timestamp to UTC and set that to a new field. Below is an example of the raw value of the data_win_system_systemTime field I am looking to convert:
2022-09-28T15:00:12.489269700Z
Below is my pipeline rule:
rule "Windows timestamp test"
when
has_field("data_win_system_systemTime")
then
let time = parse_date(to_string($message.data_win_system_systemTime), "yyyy-MM-dd HH:mm:ss.S");
set_field("timestamp_utc", time);
end
However, this gives me the following processing error:
Error evaluating action for rule <Windows timestamp test/6333b7c5dd19951e41a7550c> (pipeline <PROCESSING PIPELINES/61b26faf0d480d7e18261548>) - In call to function 'parse_date' at 6:30 an exception was thrown: Invalid format: "2022-09-28T15:00:12.489269700Z" is malformed at "T15:00:12.489269700Z", Replaced invalid timestamp value in message <435ca260-3f3e-11ed-a1d7-860000fcadae> with current time - Value <2022-09-28T15:00:13.444+0000> caused exception: Invalid format: "2022-09-28T15:00:13.444+0000" is malformed at "T15:00:13.444+0000"
I have tried different variation of time timestamp pattern match such as yyyy-MM-dd HH:mm:ss.S Z , yyyy-MM-dd HH:mm:ss but haven’t had any luck.
Is there anything I am missing or not fully understanding?
I am running Graylog 4.2.6
Thanks for the help!
Taylor
