Timestamp modification

Elasticsearch : 6.7.2
MongoDB : 3.2.11
Graylog : 3.0.2-1

Hi,

I need some help for edit a timestamp on some servers.
I have a few servers with TZ = UTC and I want to display them into the console with a TZ = UTC +2 but just on these servers.
I tried to used an extractor for copy the timestamp and modify in other TZ but that didn’t works.
So, I tried to did it with a pipeline.
I have configured the following steps :

  • I create a dedicated input.
  • I create a dedicated stream.
  • I have this rule for replace the timestamp :

rule “timestamp_now+2”
when
true
then
let new_date = parse_date(substring(to_string(now("+0100")),0,23), “yyyy-MM-dd’T’HH:mm:ss.SSS”);
set_field(“timestamp”, new_date);
end

But, it doesn’t works.
I miss something ?

Thank you for your replies.

Instead of all separate inputs etc, you could simply add logic to your rule. Then it also makes it a bit easier to see ‘working’ and ‘non-working’ logs side by side while you’re troubleshooting.

Do you actually have a timestamp you’re using, or are you trying to use the graylog event time for your logs? That’s not usually the recommended path. In my example, I just picked ‘router_time’ as the field for your copied time.

Also - did you check that your logs don’t exist in the future, given that you are editing for a timezone further out than yours (i.e. last 5 minutes won’t show)

rule "Set Local Time"
when 
// Adjust for your device
to_string($message.devicename) == "beirut_router"
then
//Also adjust for yours, I just picked a canonical from UTC+2
let new_time = parse_date(value:to_string($message.router_time), pattern:"yyyy MMM dd HH:mm:ss.SSS", timezone:"Asia/Beirut");
set_field("timestamp",new_time);
end
2 Likes

Thanks, you solved my problem :wink:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.