hi,
it works fine, if it produces a timestamp_test field and the content of that field is the correct event time in UTC. Once you get it working, you can change the extractor so that it saves the result in the timestamp field, and see if it still produces the right time. In my experience, for some reason this second step can be also problematic.
The explanation is:
Hi, thanks both. I did it but new logs are same than others, it isn’t converting 
Example message
2017-06-15T06:38:35.155Z
Extractor configuration:
Extractor type: Copy input
Source field: timestamp
The entire input will be copied verbatim.
Condition: Always try to extract
Store as field: timestamp
Extraction strategy: Copy
Extractor title: Timestamp
Add converter: Convert Date and format string:
Format String: yyyy-MM-dd HH:mm:ss
Time Zone: Madrid
Locale: Spanish
I save it, after I went to Stream (or dashboard main) and timestamp from new logs are same (like that 2017-06-15T06:38:35.155Z)
I don’t understand how works Alerts.
Alert:
SSH Graylog (Email Alert Callback)
Executed once per triggered alert condition in stream SSH
Stream SSH has entries.
Test Alert works fine. Why never I receive alerts?
As described in Flexibly Parse Date and the documentation at http://docs.graylog.org/en/2.2/pages/extractors.html, Extractors only work on text (string) fields, but “timestamp” is not a string.
thanks Jochen, so I no worries about that, really I could work with that, there are some difference with minutes/hour but ok.
If you see it well I will open a new post about alerts to not mix both doubts.
Thanks all.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
