Searching imported logs by log timestamp, not time Graylog received the log

Some example based on @lennart’s comment.

I struggled 4 hours just to figure that out. :smiley: Hope this will save some time for others.

E.g.

  1. I stored event timesamp value in event_ts, from apache combined log. I extracted with Grok.
  2. Processing pipeline to parse the values I groked and and store it in timestamp value.

Following is example rules for the example.

rule "parse event timestamp"
when
    true
then
    let new_date = parse_date(to_string($message.event_ts), "dd/MMM/yyyy:hh:mm:ss Z");   
    set_field("timestamp", new_date);    
end

I would like to know my approach is proper? or if there is better way to achieve it.

Cheers,

ye

3 Likes