I still have issues with timestamps. I don’t understand why it gives me +2. I just want the original timestamp to show and the system should not modify anything.
I have created a (working) pipeline because of previous topic i created. This is the result.
But i still see:
Why would the system show me my timezone timestamp? That is so not logical…
I want to see the timestamp of the message. Not the timestamp of the message modified to my current timezone.
Rule on my pipeline:
rule "fortigate timestamp" when has_field("devname") && has_field("date") && has_field("time") then let build_message_0 = concat(to_string($message.date), " "); let build_message_1 = concat(build_message_0, to_string($message.time)); let new_timestamp = parse_date(value:to_string(build_message_1), pattern:"yyyy-MM-dd HH:mm:sss", timezone:"Europ/Amstedam"); set_field("timestamp", new_timestamp); set_field("Timestamp", new_timestamp); set_field("test_timestamp", new_timestamp); End
Maybe i need to wait for 2 hours for it to catch up but changing to absolute time and going 2 hours or more in the future still shows wrong messages.
According to my old topic, this should have been fixed in 3.0
But im on Graylog 3.0.2+1686930
Since the devices in question are already in TZ Europe/Amsterdam, should i change the new timestamp to UTC first? And then i get correct timestamps?.. thats not logical either but…