Set timezone based on some condition

I have logs with 2 different timestamp formats coming from the same input and I use GROK patterns extractors for parsing.
One is yyyyMMddHHmmss(i.e. 20190321094517) and another one is dd/MMM/yyyy:HH:mm:ss Z (i.e.21/Mar/2019:09:55:46 +0000)
How I can explain Graylog that first timestamp is also +0000 so it must be converted to my local timezone(currently Graylog thinks it’s already in my timezone, so search results are not correct)?

Use pipeline
You can make a regexp to recognize the format, and after you can format the time as you wish.

Do you mean “change format before message passes thru extractor”?

At pipelines you can do anything with the messages. overwrite, create, drop fields, or the full messages.
Graylog process only the RFC formatted timestamps (I don’t know the exact rfc numbers, use google, rfc syslog). Else it puts the current time to timestamp field.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.