Jochen,
Thanks for the reply! I'm guessing my problem is that the source field (in
this case WO_Timestamp) is not a date object, as I'm not having any luck
with your example either. I was under the impression that using the
"parse_date" function would create a Date object?
As for "$timestamp" instead of "timestamp", I was trying different
configurations, and thought that since the message field is referenced as
"$message" I would try that format. What does the "$" indicate?
Thanks!
Cheers,
Al
On Wednesday, February 8, 2017 at 2:44:38 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Al,
>
> the "timestamp" field has to be a Date object and not a string.
> Additionally, the first parameter of your set_field() call seems odd
> ("$timestamp" instead of "timestamp").
>
> This rule might work, although I haven't tested it:
>
> rule "WO-CS-RAS"
> when
>
> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
> then
> set_field("WO_Log_Source","RAS-CS");
> let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value:
> to_string($message.message));
> set_fields(matches);
> let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd
> HH:mm:ss,sss");
> set_field("timestamp", date);
> route_to_stream("WideOrbit Logs");
> end
>
>
> Cheers,
> Jochen
>
>
> On Tuesday, 7 February 2017 20:52:38 UTC+1, Al Reynolds wrote:
>>
>> Hello all,
>>
>> I'm attempting to switch our logging infrastructure from the ELK stack to
>> Graylog, but I'm running into an issue with the pipeline rules and
>> replacing the timestamp field. Rule below:
>>
>> rule "WO-CS-RAS"
>> when
>>
>> contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
>> then
>> set_field("WO_Log_Source","RAS-CS");
>> let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value:
>> to_string($message.message));
>> set_fields(matches);
>> let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd
>> HH:mm:ss,sss");
>> let new_date = format_date(date,"YYYY-MM-DD'T'HH:mm:ss.SSS");
>> set_field("$timestamp", new_date);
>> route_to_stream("WideOrbit Logs");
>> end
>>
>> I've tried without the date formatter as well--no luck there either. The
>> rule will error out and not replace the timestamp field. Everything else
>> works perfectly. Any suggestions as to where I might be going wrong? If I
>> use an extractor I can replace the timestamp field, but I'd like to keep
>> everything in one place if possible.
>>
>> Thanks!
>>
>> Cheers,
>> Al
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/919e3853-8bb3-462c-b12c-908779a46bf1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
