timestamp
分析程序不产生字段,而是将其输入从字符串形式转换为内部时间戳格式,该格式显示为从 UNIX 纪元开始时间(1970 年 1 月 1 日,UTC/GMT 午夜)起的毫秒数。
唯一受支持的配置选项是 format
。例如 format=%Y-%m-%d %H:%M:%S
。
与 CLF 分析程序不同,timestamp
分析程序可以在时间说明符之间没有分隔符时分析时间,例如 %A%B%d%H%M%S%Y%z
。
timestamp
分析程序使用的格式说明符如下:
'%a': Abbreviated weekday name, for example: Thu '%A': Full weekday name, for example: Thursday '%b': Abbreviated month name, for example: Aug '%B': Full month name, for example: August '%d': Day of the month, for example: 23. strftime() expects zero-padded (01-31) digits for this specifier but Log Insight agents can parse space-padded and non-padded day numbers, too. '%e': Day of the month, for example: 13. strftime() expects space-padded ( 1-31) digits for this specifier but Log Insight agents can parse zero-padded and non-padded day numbers too. '%f': Fractional seconds of time, for example: .036 'f' specifier assumes that '.' or ',' character should exist before fractional seconds and there is no need to mention that character in the format. If none of these characters precedes fractional seconds, timestamp wouldn't be parsed. '%H': Hour in 24h format (00-23), for example: 14. Zero-padded, space-padded, and non-padded hours are supported. '%I': Hour in 12h format (01-12), for example: 02. Zero-padded, space-padded and non-padded hours are supported. '%m': Month as a decimal number (01-12), for example: 08. Zero-padded, space-padded and non-padded month numbers are supported. '%M': Minute (00-59), for example: 55 '%p': AM or PM designation, for example: PM '%S': Second (00-61), for example: 02 '%s': Total number of seconds from the UNIX epoch start, for example 1457940799 (represents '2016-03-14T07:33:19' timestamp) '%Y': Year, for example: 2001 '%z': ISO 8601 offset from UTC in timezone (1 minute=1, 1 hour=100)., for example: +100
时间戳分析程序可接受其他说明符,但这些说明符的值都被忽略且不会影响分析时间。
'%C': Year divided by 100 and truncated to integer (00-99), for example: 20 '%g': Week-based year, last two digits (00-99), for example, 01 '%G': Week-based year, for example, 2001 '%j': Day of the year (001-366), for example: 235 '%u': ISO 8601 weekday as number with Monday as 1 (1-7), for example: 4 '%U': Week number with the first Sunday as the first day of week one (00-53), for example: 33 '%V': ISO 8601 week number (00-53), for example: 34 '%w': Weekday as a decimal number with Sunday as 0 (0-6), for example: 4 '%W': Week number with the first Monday as the first day of week one (00-53), for example: 34 '%y': Year, last two digits (00-99), for example: 01
如果未定义 format
参数,Timestamp
分析程序将使用默认格式分析时间戳。
自动时间戳分析程序
没有为时间戳分析程序定义格式时将调用自动时间戳分析程序,也可以在没有定义时间戳分析程序的情况下,通过在
field_decoder
中使用
timestamp
直接调用该分析程序。例如:
[parser|mycsv] base_parser=csv debug=yes fields=timestamp,action,source_id,dest field_decoder={"timestamp": "timestamp"}
使用默认配置的时间戳分析程序
此示例显示了使用默认配置的timestamp
分析程序。
[parser|tsp_parser] base_parser=timestamp debug=no format=%Y-%m-%d %H:%M:%S%f
要将 timestamp
分析程序与其他分析程序(例如 CSV 分析程序)相集成,请指定以下配置。
[parser|mycsv] base_parser=csv fields=timestamp,action,source_id,dest field_decoder={"timestamp": "tsp_parser"}
定义此配置时,mycsv
分析程序将提取名称为配置中所指定名称的字段,然后对 timestamp
字段的内容运行 tsp_parser
。如果 tsp_parser
检索到有效的时间戳,服务器会将该时间戳用于日志消息。