Hello all,
I'm attempting to switch our logging infrastructure from the ELK stack to
Graylog, but I'm running into an issue with the pipeline rules and
replacing the timestamp field. Rule below:
rule "WO-CS-RAS"
when
contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
then
set_field("WO_Log_Source","RAS-CS");
let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value:
to_string($message.message));
set_fields(matches);
let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd
HH:mm:ss,sss");
let new_date = format_date(date,"YYYY-MM-DD'T'HH:mm:ss.SSS");
set_field("$timestamp", new_date);
route_to_stream("WideOrbit Logs");
end
I've tried without the date formatter as well--no luck there either. The
rule will error out and not replace the timestamp field. Everything else
works perfectly. Any suggestions as to where I might be going wrong? If I
use an extractor I can replace the timestamp field, but I'd like to keep
everything in one place if possible.
Thanks!
Cheers,
Al
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/04dbe74c-6646-4580-8a7e-e4141ac660c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
