Hi, I’m using Graylog v2.4.6. I’ve noticed that Timestamp and timestamp(filter-field) are in different timezones. Timestamp is correct but timestamp is back for 3 hours.
I’ve checked the graylog-server.conf and there I didn’t see any problems with setting.
I’ve checked server settings and I didn’t see any problems either.
So should I set a rule, pipeline or an extractor? What should I do?
You probably have 2 fields with timestamp. Only default Timestamp field is formated with correct timezone setting for user account.
If you login as admin user to graylog web interface check if you setup correct timezone in parameter root_timezone = Europe/Bratislava. Replace Europe/Bratislava with your real timezone.
I’ve configured my user’s timezone for Istanbul, and I’ve configured graylog-server.conf for Istanbul. Then I restarted the services. Now graylog is working heavily.
Still, Timestamp and timestamp in different timezones.
Dont know how to fix this…
Changing root timezone in server.conf only setup correct timezone for use user admin. If you you another user, check timezone setting for this profile.
I still don’t undestanrd why you have 2 timestamp fields. Try to find where it appear, or update fields to show.
you have helped me to write the rule, it was like “$message.timestamp”
if i change it to “$message.Timestamp”, will it be fixed?
because Timestamp is correct.
Please post the rule, i don’t remember… it was pipeline rule? or alert?
I was having an issue, creating 2 fields “queryHour” and “queryDay”, and you said create a pipeline and use it as decorator.
rule "week dates"
when
true
then
set_field("queryHour", $message.timestamp.hourOfDay);
set_field("queryHour", $message.timestamp.dayOfWeek);
endFirst, you have error in pipeline rule, second line replace first one, because you set_field with same name.
Fixed version:
rule "week dates"
when
true
then
set_field("queryHour", $message.timestamp.hourOfDay);
set_field("queryDay", $message.timestamp.dayOfWeek);
end
I don’t think that this pipeline rule created new timestamp field. This only create new fields with name queryHour/queryDay, it doesn’t something with timestamp. Maybe you tried something (another pipeline rule or so) that create another field for timestamp.
Yes, you are right. But my question is different. in rule we define “$message.timestamp”, so queryHour and queryDay comes from second timestamp (created filter).
If I change it to “$message.Timestamp”, will it get it from default Timestamp?
timestamp is default field for timestamp used by graylog by default. It’s a field, that is also showed in configured user timezone. In your old version 2.4 it’s showed as Timestamp.
I think, that your problem is that function hourOfDay/dayOfWeek uses timestamp in UTC timezone. If you want to use it in your realtimezone use this snippet instead:
set_field("queryHour", now("Europe/London").hourOfDay);
set_field("queryDay", now("Europe/London").dayOfWeek);
If your want to created field for messages created out of business hour, try this:
rule “out_of_hours”
when
to_long(now("Europe/London").hourOfDay) >= 0 AND
to_long(now("Europe/London").hourOfDay) < 7 AND
to_long(now("Europe/London").dayOfWeek) >= 1 AND
to_long(now("Europe/London").dayOfWeek) <= 5
then
set_field("out_of_hours", true);
//debug("out_of_hours");
end
Why do you think so? queryDay is 5 = Friday. Do you expected another number. It’s a number of day in a week.
Ok, its cool, thanks but do you know how to make it exact day like 21 etc Does “dayOfMonth” work?
exactly dayOfMonth should do this.
Thanks a lot 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
