Hi!
I receive raw syslog from network devices.
And Graylog in timestamp field shows after time our timezone (+03:00)
How can i remove in timestamp field indication +03:00 from all messages?
Hello && welcome @sea_scaner
Can I ask why you want to manipulate the Timestamp?
As you know after Elasticsearch ingest the message it places the timestamp there.
You could creating you own Index Template and/or Pipeline/Extractor to manipulate the Timestamp field.
For further suggestion please look here.
Hi! Thx!
The time from my devices comes correct.
They all have a time zone of +3.00
I just want to customize the timestap field - so that the time is shown correctly without specifying the timezone. Remove +3.00 for more convenient display in dashboards.
By chance have you considered a pipeline? This might be your best bet. Ill look into it for ya unless someone lese comes around to help
Thx!
In log i recieved logs from device with correct time without timezone:
tail -f /var/lib/graylog-server/journal/messagejournal-0/00000000000000020374.log
89>Feb 10 2022 09:02:04 kzn-akt-ne20e-02 %%01CLI/5/CMDRECORD(s):CID=0x80ca2713;Recorded command information. (Task=VTY0, Ip=10.250.29.138, VpnName=_public_, User=admin, AuthenticationMethod="Tacacs", Command="display clock".)
Apparently maybe Graylog or Mongodb add timezone to a timestamp field?
Hello
What I believe needs to happen is the TimeStamp field need to be change to your specifications. This can be done via pipeline.
You can look here what other community members have done.
Or here using our Tag system
Depending on your environment this also can be done via extractor.
Just an FYI, if this is for a few/couple device need to change the timestamp , perhaps create a new input for them and then add the extractor, it’s all about simplicity for today and tomorrow 
This would be mainly be your Elasticsearch.
Hope that helps
Hi thx!
I ran several tests.
-
Made an extractor for my RAW UDP input. It ok, but no hits:
.
. -
I try to Pipeline to change timezone in timestamp field. No errors in Simulator, but no no effect in production:
-
But whet in Pipeline i change timezone to a new field - it ok.
I did something wrong somewhere?
Is it possible to change the timestamp field without adding a new field?
It seems that Greylog automatically adds timezeno to timestamps field.
Basically, I’m fine with it, but i want to make it nice )
Hello
Unfortunately you have to make a new field for the timestamp.
But here is an idea 
So if you created a new timestamp field this will show up on your field search’s.
What could be done is remove “timestamp” as shown below.
Then add your NEW timestamp field. I don’t have the same fields as you, but I believe you get the point.
Results
hope that helps
EDIT: I just noticed you did the same thing that I posted.
Thx!
I will study further
Hello @sea_scaner
Another community member was working on a pipeline/timestamp, which I think maybe of interest to you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.