timestamp 分析程序不产生字段,而是将其输入从字符串形式转换为内部时间戳格式,该格式显示为从 UNIX 纪元开始时间(1970 年 1 月 1 日,UTC/GMT 午夜)起的毫秒数。

唯一受支持的配置选项是 format。例如 format=%Y-%m-%d %H:%M:%S

与 CLF 分析程序不同,timestamp 分析程序可以在时间说明符之间没有分隔符时分析时间,例如 %A%B%d%H%M%S%Y%z

timestamp 分析程序使用的格式说明符如下:

'%a':    Abbreviated weekday name, for example: Thu
'%A':    Full weekday name, for example: Thursday
'%b':    Abbreviated month name, for example: Aug
'%B':    Full month name, for example: August
'%d':    Day of the month, for example: 23. strftime() expects zero-padded (01-31) digits
         for this specifier but Log Insight agents can parse space-padded and non-padded 
         day numbers, too. 
'%e':    Day of the month, for example: 13. strftime() expects space-padded ( 1-31) digits 
         for this specifier but Log Insight agents can parse zero-padded and non-padded 
         day numbers too. 
'%f':    Fractional seconds of time, for example: .036 'f' specifier assumes that '.' or ',' 
         character should exist before fractional seconds and there is no need to mention 
         that character in the format. If none of these characters precedes fractional seconds, 
         timestamp wouldn't be parsed.
'%H':    Hour in 24h format (00-23), for example: 14. Zero-padded, space-padded, and non-padded hours 
         are supported.
'%I':    Hour in 12h format (01-12), for example: 02. Zero-padded, space-padded and non-padded hours 
         are supported.
'%m':    Month as a decimal number (01-12), for example: 08. Zero-padded, space-padded 
         and non-padded month numbers are supported.
'%M':    Minute (00-59), for example: 55
'%p':    AM or PM designation, for example: PM
'%S':    Second (00-61), for example: 02
'%s':    Total number of seconds from the UNIX epoch start, for example 1457940799 
         (represents '2016-03-14T07:33:19' timestamp)
'%Y':    Year, for example: 2001
'%z':    ISO 8601 offset from UTC in timezone (1 minute=1, 1 hour=100)., for example: +100

时间戳分析程序可接受其他说明符,但这些说明符的值都被忽略且不会影响分析时间。

'%C':    Year divided by 100 and truncated to integer (00-99), for example: 20
'%g':    Week-based year, last two digits (00-99), for example, 01
'%G':    Week-based year, for example, 2001
'%j':    Day of the year (001-366), for example: 235
'%u':    ISO 8601 weekday as number with Monday as 1 (1-7), for example: 4
'%U':    Week number with the first Sunday as the first day of week one (00-53), for example: 33
'%V':    ISO 8601 week number (00-53), for example: 34
'%w':    Weekday as a decimal number with Sunday as 0 (0-6), for example: 4
'%W':    Week number with the first Monday as the first day of week one (00-53), for example: 34
'%y':    Year, last two digits (00-99), for example: 01

如果未定义 format 参数,Timestamp 分析程序将使用默认格式分析时间戳。

自动时间戳分析程序

没有为时间戳分析程序定义格式时将调用自动时间戳分析程序,也可以在没有定义时间戳分析程序的情况下,通过在 field_decoder 中使用 timestamp 直接调用该分析程序。例如:
[parser|mycsv]
base_parser=csv
debug=yes
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "timestamp"}

使用默认配置的时间戳分析程序

此示例显示了使用默认配置的timestamp分析程序。

[parser|tsp_parser]
base_parser=timestamp
debug=no
format=%Y-%m-%d %H:%M:%S%f

要将 timestamp 分析程序与其他分析程序(例如 CSV 分析程序)相集成,请指定以下配置。

[parser|mycsv]
base_parser=csv 
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "tsp_parser"}

定义此配置时,mycsv 分析程序将提取名称为配置中所指定名称的字段,然后对 timestamp 字段的内容运行 tsp_parser。如果 tsp_parser 检索到有效的时间戳,服务器会将该时间戳用于日志消息。