I have been trying to overwrite the default Graylog timestamps for our Apache 2.2 log messages with the actual timestamp of the respective message.
I used the solution from this post as a start: Searching imported logs by log timestamp, not time Graylog received the log
My own rule now looks like follows:
rule “replace timestamp”
let new_date = parse_date(to_string($message.http_time), “yyyy-MM-dd’T’HH:mm:ss”);
The field http_time is extracted via the JSON extractor and looks like this:
So it should match the given format exactly. Yet when I use the Pipeline rule like that, the connected streams just drop every new message while I don’t get any error messages in the Graylog log.
I already checked that the Extractor is run before the Pipeline, so the field http_time should be populated. Also when I alter the parsing format in the pipeline rule so that it doesn’t match I get the correct processing error messages in the log and the messages don’t get dropped.
I’m running Graylog version 2.4.5.
I’m not sure if I just forgot something somewhere along the line, but I’m really out of ideas right now.
Thanks already in advance!