Hi
I am new to graylog2 and I am having an issue with the timestamp that is
displayed in each message.
I understand that the timestamp reflects the time that graylog imported the
log messages, and not the timestamp associated with the application log
message. For example, if I send a log file from my application server to
graylog server, the timestamp of my application log message is a different
field (when extracted) in graylog UI
I was able to configure my application log message timestamp to be date
type and search query have to be formulated to reflect the time zone
difference since the "now" is going to be the UTC time. So I will have an
awkward query like as follow (to query the latest 5 minute time frame)
"filter": {
"bool": {
"must": {
"range": {
"mytimestampDate": {
"from": "now-4h-5m",
"to": "now-4h",
"include_lower": true,
"include_upper": true
}
}
}
}
}
and NOT
"filter": {
"bool": {
"must": {
"range": {
"mytimestampDate": {
"from": "now-5m",
"to": "now",
"include_lower": true,
"include_upper": true
}
}
}
}
}
The BEST solution is to replace/overwrite the timestamp of the graylog
server with the timestamp of the application log message that is shipped
over to graylog2. This is because the web interface is using the timestamp
to do query.
I was able to do it with Logstash by using a date filter, and I was able to
do it with Fluentd by using a plugin. Both worked beautifully. However, I
have not found a solution for graylog2.
Is there a workaround?
Thanks
Wayne
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/24c9a97e-f979-4b0d-833b-6a012b2ab78e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
