Unable to force date field type inside my indexes

Hello everyone

I’ve been struggling on this issue for the past few days and i’m seeking any recommandation or explaination on how i can fix this issue

I currently have multiple ubuntu servers which are sending logs through rsyslog (tcp with tls) to two HA HAproxy, which forward the logs with tcp mode configured to my graylog cluster composed of three servers

I have my input configured, my logs are being received by graylog and i currently have a pipeline configured with different steps configured like this :

rule “Parse SYSLOG3164”
when
has_field(
field : “full_message”
)
then
let gl2_fragment_grok_results = grok(
pattern: “%{SYSLOG3164}”,
value: to_string($message.full_message),
only_named_captures: true
);
set_field(“parsed”, “ok”);
end

rule “Fix Timestamp”
when
has_field(“timestamp”)
then
let str = to_string($message.timestamp);
set_field(“timestamp”,
to_date(
format_date(
flex_parse_date(str),
“yyyy-MM-dd HH:mm:ss”
)
)
);
end

All of the fields are being parsed properly, my only issue is all of my indexes have the field type text instead of date.

I already have a index_pattern configured inside my elasticsearch cluster, but graylog refuse to use it and always create a mapping on it’s own, missing my key configuration inside my index_pattern (setting all timestamp fields to date type)

I also can’t configure my type inside index set templates, the timestamp field is greyed out and it’s marked as Reserved field

Any feedback on how can i fix my field type or make graylog understand that, timestamp is indeed a date field ? Because of this issue i can’t search through my logs because graylog don’t recognise my timestamp field as date

I tried multiple pipeline configuration without any sucess, i though to_date would fix the field type to date as said inside the graylog webui from the quick reference (“Converts a type to a date …”)

My timestamp at the end looks like this when extracting content from my indexes

“timestamp”: “2026-02-02 17:35:15.000”,

I’m currently running graylog 6.2.1 with a Elasticsearch 7.10.2 behind (also on three servers)

Thanks

@Theoooooo,

When looking at the fields view form the search context, what data type do you see timestamp listed as? The default template should be storing it as date.

Screenshot 2026-02-04 at 09.12.32810×948 67.9 KB

From what i can see, the timestamp is being stored as a string / text field type

I tried forcing it as date inside my pipeline without success

I also have my index_pattern configured but graylog doesn’t seems to take it in account when rotating my index on a daily basis, or rotating manually

I would have thought, if the timestamp was being stored as a string that none of the logs would be searchable via the UI.

Could you post the template being applied and the current field mappings here?

In Graylog, changing the pipeline alone doesn’t update the mapping — the field stays text until the index template is updated.
Use Change field type → Date in the UI and rotate the index so the new mapping is applied.

I can’t set the field via Change field type → Date, the timestamp field is grayed out and it says “Field is Reserved” something like that

I may have found a solution tho, after messing around i updated my index and added the option field “priority” inside, and i set it to 500.

I read on another post that Graylog use priorities when creating indexes that are higher than the default value Elasticsearch use when creating indexes (via Graylog)

Setting the priority to 500 bypass the priority issue and actually use my provided template

You can see a exemple here : docs/manage-data/data-store/templates#index-templates

This issue is now resolved

Thanks for the advices and your time

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.