Thanks for your help in this question. I would like to change the Timestamp in Graylog to provide the Timestamp coming from the logs collected by filebeat. In order to achieve this, I have created an extractor using regular expression and saved it as a field “Timestamp” as follows:
The problem is that in Graylog search I have an inconsistency of Timestamp and timestamp fields. The current timestamp which corresponds to the time the log was processed is in Timestamp and timestamp field and I have another Timestamp field which has the time related to the log. To clarify the scenario I provide an screenshot of the mentioned behaviour:
Thanks for your answer Jan, I have changed to lowercase using timestamp, but the Search keeps the previous Timestamp field and the new field timestamp keeps the same time. Please let me show you in this example:
that the T in the first timestamp is capitalized is a mistake, because it gives you a wrong meaning.
The first timestamp is always shown in the timezone that your userprofil has selected. The second timestamp is how the timestamp is saved in Elasticsearch, including the timezone.
The extract of timestamp does not work because it needs to be in a spezific format - and not in the format you extract.
You can do that with a converter in the same extractor.
