hi,
I try to read the correct timestamp from the log line. I manage to make a field (type string) containing the real time of the event. Now, trying to use a copy input with flexible date converter to copy that info to the timestamp field fails.
If I copy to the EventReceivedTime field, it works. I looked at the mappings, and it seems that they have different mappings:
If I store the result of the Flexible Date Converter to a new unused field, the mapping will be:
{
"graylog_870" : {
"mappings" : {
"message" : {
"timestampX" : {
"full_name" : "timestampX",
"mapping" : {
"timestampX" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
}
}
}
}
}
}
}
The mapping of EventReceivedTime is similar:
{
"graylog_870" : {
"mappings" : {
"message" : {
"EventReceivedTime" : {
"full_name" : "EventReceivedTime",
"mapping" : {
"EventReceivedTime" : {
"type" : "date",
"format" : "strict_date_optional_time||epoch_millis"
}
}
}
}
}
}
}
but the timestamp field has a different mapping:
{
"graylog_870" : {
"mappings" : {
"message" : {
"timestamp" : {
"full_name" : "timestamp",
"mapping" : {
"timestamp" : {
"type" : "date",
"format" : "yyyy-MM-dd HH:mm:ss.SSS"
}
}
}
}
}
}
}
So what is the correct way to parse the string to a date in such a way that it can be stored in the timestamp field?
Graylog 2.2.3