Hi Kevin, you can extract the date from the log messages with a regex extractor and afterwards use a date or flexdate converter (see http://docs.graylog.org/en/1.1/pages/extractors.html#normalization) to convert it to an actual timestamp which you store in the timestamp field of your message. Otherwise the receive date of the raw text message will be used as message timestamp.
Cheers, Jochen On Tuesday, 1 September 2015 22:55:04 UTC+2, Kevin Johnson wrote: > > Hi Jochen, > > I did not create an extractor to parse the access logs. I have setup > extractors on other inputs. How do I use the recognized date as the > message timestamps? > > On Tuesday, September 1, 2015 at 4:21:55 AM UTC-4, Jochen Schalanda wrote: >> >> Hi Kevin, >> >> did you create an extractor (e. g. a grok or a regex extractor) to parse >> those access logs and use the recognized date as the message timestamp? If >> so, how do those extractors look like? >> >> >> Cheers, >> Jochen >> >> On Tuesday, 1 September 2015 02:50:57 UTC+2, Kevin Johnson wrote: >>> >>> Hi Jochen, >>> >>> Below is a screen shot of some of the messages: >>> >>> >>> >>> I'm running the following script to send the log to the Graylog server. >>> >>> #!/bin/bash >>> >>> tail -F -q /u02/logs/php_error.log | >>> >>> while read -r line ; >>> >>> do echo 192.1681.1 $line | >>> >>> nc -w 1 -u 192.168.1.12 12409; >>> >>> done; >>> >>> >>> On Monday, August 31, 2015 at 5:17:47 AM UTC-4, Jochen Schalanda wrote: >>>> >>>> Hi Kevin, >>>> >>>> could you please post some of the messages you send to Graylog and how >>>> they are being parsed? >>>> >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Saturday, 29 August 2015 04:20:34 UTC+2, Kevin Johnson wrote: >>>>> >>>>> I set the root_timezone to EST, which all my servers are set to. >>>>> Restarted Graylog. Once again there is a huge gap in time between the >>>>> Graylog time stamp and the actual time of the logs. The time between >>>>> them >>>>> is well over 24 hrs. When creating alerts, I receive them while after >>>>> the >>>>> fact. Is there anything I tweak on the Graylog server to alleviate the >>>>> huge >>>>> gap in time? >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/017b4d51-d4fc-46b3-a6d5-a82aa3dd0b67%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
