Time stamp issues

Hi there I am looking to get a little help with groking time stamps with Graylog. I understand Elasticsearch and log stash well however I ever used Graylog before. At present I am getting the following errors.

I am fairly certain that having a match like I have used on logstash would work however I am unsure of how to add this to the processes without breaking the pipeline. My question is how do I edit the Graylog syntax to give me the multi match result like the grok example?

Error Output

 [GelfCodec] GELF message <9cb0ba70-d8da-11eb-90a5-00505684ac52> (received from <>) has invalid "timestamp": 2021-06-29T14:05:00.262Z

Logstash Grok Example

match => [ "system.auth.timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd'T'HH:mm:ss.SSSZZ", "ISO8601" ]

Pipeline Rule

rule "Logstash plain logs"
    to_string($message.type) == "logstash-logs"
            pattern: "\\[%{TIMESTAMP_ISO8601:timestamp_temp}\\]\\[%{LOGLEVEL:log_level}\\s?\\]\\[%{LOGSTASH_CLASS_MODULE:logstash_log_module}\\s*\\](\\[%{NOTSPACE:logstash_log_pipeline_id}\\]|)%{GREEDYMULTILINE:message}",
            value: to_string($message.message),
            only_named_captures: true
    let new_date = parse_date(
        value: to_string($message.timestamp_temp),
        pattern: "yyyy-MM-dd'T'HH:mm:ss,SSS"

Are you sure, that your client is sending GELF in correct format? Timestamp by GELF 1.1 specs requires unix time value.

timestamp number

  • Seconds since UNIX epoch with optional decimal places for milliseconds; SHOULD be set by client library. Will be set to the current timestamp (now) by the server if absent.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.