Some example based on @lennart’s comment.
I struggled 4 hours just to figure that out. Hope this will save some time for others.
E.g.
- I stored event timesamp value in
event_ts
, from apache combined log. I extracted with Grok. - Processing pipeline to parse the values I groked and and store it in
timestamp
value.
Following is example rules for the example.
rule "parse event timestamp"
when
true
then
let new_date = parse_date(to_string($message.event_ts), "dd/MMM/yyyy:hh:mm:ss Z");
set_field("timestamp", new_date);
end
I would like to know my approach is proper? or if there is better way to achieve it.
Cheers,
ye