Stream rules tester produce wrong result with the timestamp field when timezone is not UTC

[frantz45]

Expected Behavior

The Stream rules tester should reflect the real behavior of how rules are checked

Current Behavior

The rules tester uses the indexed timestamp whereas rules checked the received timestamp

Steps to Reproduce (for bugs)

1. Configure Graylog in Europe/Paris timezone in server.conf
2. Create a Stream with a rule based on timestamp, for example regexp matches "^\d{4}-\d{2}-\d{2}[ T]14:0\d:"
3. Enable the Stream
4. Send a log with a timestamp matching the Stream rule condition, for example: 2022-09-05 14:05:00. (I used a syslog input)
5. The log matches the rule and is affected to the Stream
6. Use the rule tester of this Stream and load the previously sent log. The tester says it doesn't match the regexp so the log won't enter the Stream, which is wrong. As you can observe the tester displays the timestamp in UTC, so it doesn't match the regexp because in UTC it's 12:05 and not 14:05.

So the real behavior is that Stream rules actually check the received timestamp (in Europe/Paris timezone) whereas the tester check the indexed timestamp (in UTC)

There may be some extra information in the community post I created firstly: https://community.graylog.org/t/filter-stream-with-a-rule-based-on-timestamp/25544

Context

I tried to exclude some logs of a Stream based on their timestamp.

Your Environment

• Graylog Version: 4.1.14
• Java Version: 1.8.0.262
• Elasticsearch Version: 7.10.2
• MongoDB Version: 4.2.19
• Operating System: CentOS 7.9.2009
• Browser version: Firefox 91.8.0 ESR