[graylog2] Re: graylog2 timestamp not from application log message

[Jochen Schalanda]

Hi Wayne,

the following extractor is working for me without problem:

{
  "extractors": [
    {
      "title": "Timestamp",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "date",
          "config": {
            "date_format": "yyyy-MM-dd HH:mm:ss,SSS",
            "time_zone": "Etc/GMT+2"
          }
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "timestamp",
      "extractor_config": {
        "regex_value": "^([0-9]{4}-[0-9]{2}-[0-9]{2} 
[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3})"
      },
      "condition_type": "none",
      "condition_value": ""
    }
  ],
  "version": "2.1.1"
}


Cheers,
Jochen

On Thursday, 13 October 2016 18:41:13 UTC+2, Wayne wrote:
>
> Hi Jochen,
>
> Just to add a bit more detail:
>
> The timestamp in my server log is of the following pattern:
>
> 2016-10-13 12:37:00,022
>
> I was not able to configure an extractor to extract it as a date type with 
> the pattern like
> yyyy-MM-dd HH:mm:ss,SSS
>
> Note: I was creating an Extractor with type of Grok pattern
>
>
> Thanks,
>
> Wayne
>
>
> On Thursday, October 13, 2016 at 10:34:29 AM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Wayne,
>>
>> On Thursday, 13 October 2016 16:30:18 UTC+2, Wayne wrote:
>>>
>>> I understand that the timestamp reflects the time that graylog imported 
>>> the log messages, and not the timestamp associated with the application log 
>>> message. For example, if I send a log file from my application server to 
>>> graylog server, the timestamp of my application log message is a different 
>>> field (when extracted) in graylog UI
>>>
>>
>> Graylog is only falling-back to the ingestion time if the message itself 
>> doesn't include a timestamp or includes an invalid timestamp.
>>
>> For example if you're using a GELF input and the GELF messages contain a 
>> valid timestamp field, that timestamp is being used as message timestamp 
>> in Graylog.
>>
>>
>> Is there a workaround?
>>>
>>
>> What exactly is the problem you're trying to solve? 
>>
>> Cheers,
>> Jochen
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/f66f3f79-265e-40d9-b8f1-a283ba1f2b96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.