[graylog2] Re: Overwriting Timestamp field using Pipeline rules

Tue, 07 Feb 2017 23:45:06 -0800 

Hi Al,

the "timestamp" field has to be a Date object and not a string. 
Additionally, the first parameter of your set_field() call seems odd 
("$timestamp" instead of "timestamp").

This rule might work, although I haven't tested it:

rule "WO-CS-RAS" 
when 
    
contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
then
    set_field("WO_Log_Source","RAS-CS");
    let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
to_string($message.message));
    set_fields(matches);
    let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd 
HH:mm:ss,sss");
    set_field("timestamp", date);
    route_to_stream("WideOrbit Logs");
end


Cheers,
Jochen


On Tuesday, 7 February 2017 20:52:38 UTC+1, Al Reynolds wrote:
>
> Hello all,
>
> I'm attempting to switch our logging infrastructure from the ELK stack to 
> Graylog, but I'm running into an issue with the pipeline rules and 
> replacing the timestamp field. Rule below: 
>
> rule "WO-CS-RAS" 
> when 
>     
> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
> then
>     set_field("WO_Log_Source","RAS-CS");
>     let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
> to_string($message.message));
>     set_fields(matches);
>     let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd 
> HH:mm:ss,sss");
>     let new_date = format_date(date,"YYYY-MM-DD'T'HH:mm:ss.SSS");
>     set_field("$timestamp", new_date);
>     route_to_stream("WideOrbit Logs");
> end
>
> I've tried without the date formatter as well--no luck there either. The 
> rule will error out and not replace the timestamp field. Everything else 
> works perfectly. Any suggestions as to where I might be going wrong? If I 
> use an extractor I can replace the timestamp field, but I'd like to keep 
> everything in one place if possible. 
>
> Thanks!
>
> Cheers,
> Al
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b1ee4811-c22a-4529-8544-f23c5411bfdb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to