Hi guys, I am trying to correct timestamp for O365 logs. As per my understanding O365 logs have no timezone info so graylog treating it UTC 0, infact that should be UTC -6. I am trying to get over it by writing current parse time through pipeline below:
rule “correct timestamp for logs from O365”
let log_timestamp = $message.timestamp;
let timestamp = $message.timestamp;
let debug_message = concat( first: "timestamp before changing: ", second: to_string(timestamp));
let new_date = parse_date( value: to_string(log_timestamp), pattern: "yyyy-MM-dd HH:mm:ss Z"); set_field("timestamp", new_date); let debug_message = concat( first: "timestamp after changing: ", second: to_string(timestamp));
Graylog does the time zone conversion but still that is not good as the difference of 6 hours. I can get debug value for before changing but after is not even showing and is there an efficient way do it. Thanks in advance.