to me it looks as the “timestamp” is set by graylog based on the arrival-time of the logmessage. The field “full_message” contains the timestamp from the application, and some other information (DEBUG and blured stuff). Am I right?
My approach in this case would be
- build a grok pattern to get the timestamp from the field “full_message”.
- build a piepline to extract that value and put it into “timestamp”. Make sure to use a date-type and not a string. A little magic with flex_parse_date might be neccesary.