Hello,
Looking at pipelines on how to convert Date/time and since were deal with epoch time have you seen these links? You can just use a pipeline to convert the date/time and remove the extractor I believe or unless you have to use an extractor.
1.Fortigate changed eventtime from seconds to nanoseconds - #2 by shoothub
Or perhaps this?
2.Graylog Knowledge Base - Pipeline Rule Samples
Is it possible to give a more accurate example of the raw message received and insure personal info is either replaced or removed?
Here is an example of mine.
rule "Epoch Convert"
when
has_field("eventtime")
then
let ts_millis = to_long($message.eventtime) / 1000;
let new_date = parse_unix_milliseconds(ts_millis);
set_field("epoch_timestamp", new_date);
//set_field("timestamp", new_date);
end