Timestamp in Metron is always a unix epoch to avoid things like timezone issues.
In this case, you can resolve this using a field transformation at the parsing stage, with the TO_EPOCH_TIMESTAMP function. Some custom parsers already do this, but for those that don’t, a simple bit of stellar will clean it up. Simon > On 10 Apr 2019, at 07:34, <stephane.d...@orange.com> > <stephane.d...@orange.com> wrote: > > Hello everybody, > > Don’t worry, I won’t ask you to debug my Grok statement J > > By the way, I’m facing the following situation: I have in my “error_index” > Elastic index some documents with a raw_message field that shows that the > origin message was parsed (see screenshot) and contains in addition an > “original_string” which is the raw message: > <image001.png> > > What is wrong here? Why does it go to error_index? > > Thanks, > > Stéphane > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you.
