Doing a quick look around here is a post on a quite older version of Graylog but the idea still stands. If your router/switch is not reporting it’s time zone Graylog will assume it’s UTC, then display in your local timezone. Looks like that and perhaps the overloaded resource delay added on. You can correct timestamp information in the pipeline… also… look for inefficiencies in your pipeline that might help with the overload. One thing that has helped in the past is adding a ^ to the start of any GROK if it is expected to start finding things at the start of a message so it doesn’t try and iterate through the whole message…