[graylog2] Re: Overwriting Timestamp field using Pipeline rules

Tue, 07 Feb 2017 23:45:06 -0800 

Hi Al,

the "timestamp" field has to be a Date object and not a string. 
Additionally, the first parameter of your set_field() call seems odd 
("$timestamp" instead of "timestamp").

This rule might work, although I haven't tested it:

rule "WO-CS-RAS" 
when 
    
contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
then
    set_field("WO_Log_Source","RAS-CS");
    let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
to_string($message.message));
    set_fields(matches);
    let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd 
HH:mm:ss,sss");
    set_field("timestamp", date);
    route_to_stream("WideOrbit Logs");
end


Cheers,
Jochen


On Tuesday, 7 February 2017 20:52:38 UTC+1, Al Reynolds wrote:
>
> Hello all,
>
> I'm attempting to switch our logging infrastructure from the ELK stack to 
> Graylog, but I'm running into an issue with the pipeline rules and 
> replacing the timestamp field. Rule below: 
>
> rule "WO-CS-RAS" 
> when 
>     
> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
> then
>     set_field("WO_Log_Source","RAS-CS");
>     let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value: 
> to_string($message.message));
>     set_fields(matches);
>     let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd 
> HH:mm:ss,sss");
>     let new_date = format_date(date,"YYYY-MM-DD'T'HH:mm:ss.SSS");
>     set_field("$timestamp", new_date);
>     route_to_stream("WideOrbit Logs");
> end
>
> I've tried without the date formatter as well--no luck there either. The 
> rule will error out and not replace the timestamp field. Everything else 
> works perfectly. Any suggestions as to where I might be going wrong? If I 
> use an extractor I can replace the timestamp field, but I'd like to keep 
> everything in one place if possible. 
>
> Thanks!
>
> Cheers,
> Al
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/b1ee4811-c22a-4529-8544-f23c5411bfdb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to