I’m facing an issue with Event Condition filter query.
In the Graylog dashboard, my query runs fine, showing correct timestamp and updating data in real-time
However, when filtering query in Event Condition, the timestamp of the message appears delayed compared to the dashboard. This cause me received a bunch of email with delayed time whereas I need real-time logs
Have you added the message ID to the email to 100% make sure itd the exact same message, also in your email its called recieved time, is that just the timestamp field or another field from the message (there are often many)
I have added the message.id field and noticed that:
The message.id exists when received.
The timestamp when filtering by Event Condition differs from the timestamp shown in the dashboard when searching for the same message.id.
The “Received Time” you see is the **winlogbeat_event_created** field that I added. This allows me to determine the exact time a user in the domain experienced a failed logon when the email notification arrives.
For example, I received an email notification with message.id“0566a4b0-eb62-11ef-9b3e-000c29f170ea” and a received time of “2025-02-15T05:59:36.648Z”. However, when I look up this message.id in the Graylog dashboard, the timestamp of this message is different from the one shown in the email (which is filtered by the Event Condition).
Yes this would be possible if there is a delay of winlogbeat reading the messages, and windowing writing the messages etc. Graylog is probably using the time is recieved the message as the timestamp field, but you can change this.
You can write a pipeline rule that copies the value from that winlogbeat field and puts that value into the field timestamp, thr timestamp field is just a field like any other.
I still do not understand. Why is the dashboard able to show real-time logs, whereas filtering in the event condition ends up showing me delayed results?
