hi,
I have a weird problem that occurs often. (Graylog 2.2.3) It has indexing errors:
My guess the problem is this:
“timestamp”:“2017-05-09 00:00:00.000”
I don’t understand why this happens, as I use an extractor:
> {
> "title": "timestamp ext",
> "extractor_type": "split_and_index",
> "converters": [
> {
> "type": "date",
> "config": {
> "date_format": "yyyy-MM-dd'T'HH:mm:ssZ"
> }
> }
> ],
> "order": 0,
> "cursor_strategy": "copy",
> "source_field": "message",
> "target_field": "timestamp",
> "extractor_config": {
> "index": 1,
> "split_by": "|"
> },
> "condition_type": "none",
> "condition_value": ""
> }
and the test message is as follows:
2017-05-09T00:00:00Z|public|
Now: the original line does not have a space between date and time. If I use the same extractor without the date converter, the same happens. Also, if I change to flexible date converter, this happens. I can easily change the date format in the logline that is sent, but I thought this format was the right one. Also, if I add milliseconds to the date format, the same seems to happen.
The input is raw TCP input.