Hi there I am looking to get a little help with groking time stamps with Graylog. I understand Elasticsearch and log stash well however I ever used Graylog before. At present I am getting the following errors.
I am fairly certain that having a match like I have used on logstash would work however I am unsure of how to add this to the processes without breaking the pipeline. My question is how do I edit the Graylog syntax to give me the multi match result like the grok example?
Error Output
[GelfCodec] GELF message <9cb0ba70-d8da-11eb-90a5-00505684ac52> (received from <172.31.11.125:46510>) has invalid "timestamp": 2021-06-29T14:05:00.262Z
Logstash Grok Example
match => [ "system.auth.timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ", "yyyy-MM-dd'T'HH:mm:ssZZ", "yyyy-MM-dd'T'HH:mm:ss.SSSZZ", "ISO8601" ]
Pipeline Rule
rule "Logstash plain logs"
when
to_string($message.type) == "logstash-logs"
then
set_fields(
grok(
pattern: "\\[%{TIMESTAMP_ISO8601:timestamp_temp}\\]\\[%{LOGLEVEL:log_level}\\s?\\]\\[%{LOGSTASH_CLASS_MODULE:logstash_log_module}\\s*\\](\\[%{NOTSPACE:logstash_log_pipeline_id}\\]|)%{GREEDYMULTILINE:message}",
value: to_string($message.message),
only_named_captures: true
)
);
let new_date = parse_date(
value: to_string($message.timestamp_temp),
pattern: "yyyy-MM-dd'T'HH:mm:ss,SSS"
);
set_field("timestamp",new_date);
rename_field("timestamp","event_created");
remove_field("timestamp_temp");
end