We are ingesting a large amount of log data that is JSON formatted. There is a timestamp field in the JSON blob that doesn't meet the format that the core JSON extractor expects. In considering how to fix this, I have a number of questions. I hoping that collectively you might know the answers:
1) Where in the codebase does the JSON extractor list possible field names that it might consider to be a message timestamp (can't quite see this). 2) Are Drools rules applied prior to extractors running i.e. could we munge the input with Drools? 3) In the event that no timestamp is identified in the message, what timestamp is recorded? When the collector reads the line, when the server receives the lines, or when it is written to the ES index? 4) If we modified the JSON extractor to optionally allow the same type of flexible date matching as permitted in the regex extractor (Flexible date converter), is the graylog project typically receptive to PRs? I wouldn't want to be out of sync with upstream for a long, or potentially indefinite, period. Many thanks! Patrick -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e37c47ca-7809-4dd8-96e4-fbdef898ae01%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
