Hi All,
Running Graylog 5.0.3 and I’m having an issue using a Replace with Regular Expression extractor with a literal dot in the replacement string. We get access log message from NGINX via a filebeat sidecar, so they come in as JSON data. The timestamp format from NGINX causes the JSON extractor to throw an error and replace the timestamp, like so:
Replaced invalid timestamp value in message <8e5f2dd1-9a32-11f0-9319-00505689d347> with current time - Value <2025-09-25T13:10:36-04:00> caused exception: Invalid format: “2025-09-25T13:10:36-04:00” is malformed at “T13:10:36-04:00”.
I’m trying to use a Replace with Regular Expression extractor to fix the timestamp in the message, converting it to yyyy-MM-dd HH:mm:ss.SSS format as expected by the JSON extractor. Since NGINX doesn’t include any milliseconds, I need to append “.000” each time, but this is where things fall apart. I have tried using the following…
Regular Expression:
"timestamp":\s*"(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2}:\d{2})[+-]\d{2}:\d{2}"
Replacement:
"timestamp": "$1 $2.000"
This should result in 2025-09-25 13:10:36.000 but instead, the literal . seems to cause it to just stop working. Messages on this input immediately stop being indexed, and there are no errors in any of the Graylog logs. The same thing happens if I try escaping the dot with a single backslash, like "timestamp": "$1 $2\.000" .
If I try "timestamp": "$1 $2\\.000" or "timestamp": "$1 $2\\\.000" I get a parsing error in the message about an unsupported escape sequence.
If I try something other than a dot, like "timestamp": "$1 $2_000" then it’s back to the “Invalid format” error and it replaces the timestamp with the current time.
Changing our NGINX timestamp format isn’t really an option right now, nor is passing these logs through a script or something to fix the timestamp that way. I’d really like Graylog to do it, and I need to use an extractor (not a pipeline) so the timestamp can be fixed before the JSON extractor processes it.
Is there any way to make this work?
Thanks!