Hi Frank,
On Tuesday, 17 January 2017 10:09:07 UTC+1, Frank wrote:
>
> Well SYSLOGBASE2 formats it as %{SYSLOGTIMESTAMP:timestamp} which is %{MONTH}
> +%{MONTHDAY} %{TIME}.
>
That's unfortunately incorrect. The Graylog "timestamp" has a very strict
format: -MM-dd HH:mm:ss.SSS
Any other tim
Well SYSLOGBASE2 formats it as %{SYSLOGTIMESTAMP:timestamp} which is %{MONTH}
+%{MONTHDAY} %{TIME}.
So I think it should be formated correctly, but how can I check the actual
format of a field after the extractors did run?
On Friday, January 13, 2017 at 4:39:55 PM UTC+1, Jochen Schalanda wrote:
Hi Frank,
On Friday, 13 January 2017 14:49:56 UTC+1, Frank wrote:
>
> There is a grok filter %{SYSLOGBASE2} (from the default logstash grok
> patterns) which should format the timestamp correctly.
>
Did you make sure that the "timestamp" field is an actual timestamp and not
a string after using
Hi,
these are syslog messages that get into Graylog by a syslog input.
There is a grok filter %{SYSLOGBASE2} (from the default logstash grok
patterns) which should format the timestamp correctly.
Anyway, we decided to ditch the Splunk output completely, so I don't have
the possibility to do anym
Hi Frank,
what's the content of your messages? How are you ingesting them?
Cheers,
Jochen
On Thursday, 12 January 2017 14:37:52 UTC+1, Frank wrote:
>
> That's what I expected. I just added a converter to the timestamp field,
> but that didn't change anything.
>
> On Thursday, January 12, 2017 a
That's what I expected. I just added a converter to the timestamp field,
but that didn't change anything.
On Thursday, January 12, 2017 at 2:21:40 PM UTC+1, Jochen Schalanda wrote:
>
> Hi Frank,
>
> it looks like the "timestamp" message field in one (or more) of your
> messages has the wrong typ
Hi Frank,
it looks like the "timestamp" message field in one (or more) of your
messages has the wrong type (String as opposed to being an actual
timestamp).
This *shouldn't* happen, but maybe rotating indices (System / Indices /
Maintenance) will help.
Cheers,
Jochen
On Thursday, 12 January
