The timestamp parser does not produce fields but instead transforms its input from a string to an internal timestamp format displayed in milliseconds from the UNIX epoch start, January 1, 1970 (midnight UTC/GMT).
The only supported configuration option is format. For example, format=%Y-%m-%d %H:%M:%S.
Unlike the CLF parser, the timestamp parser can parse time when there are no delimiters between time specifiers, for example %A%B%d%H%M%S%Y%z.
Format specifiers that are used by the timestamp parser are:
'%a': Abbreviated weekday name, for example: Thu
'%A': Full weekday name, for example: Thursday
'%b': Abbreviated month name, for example: Aug
'%B': Full month name, for example: August
'%d': Day of the month, for example: 23. strftime() expects zero-padded (01-31) digits
for this specifier but Log Insight agents can parse space-padded and non-padded
day numbers, too.
'%e': Day of the month, for example: 13. strftime() expects space-padded ( 1-31) digits
for this specifier but Log Insight agents can parse zero-padded and non-padded
day numbers too.
'%f': Fractional seconds of time, for example: .036 'f' specifier assumes that '.' or ','
character should exist before fractional seconds and there is no need to mention
that character in the format. If none of these characters precedes fractional seconds,
timestamp wouldn't be parsed.
'%H': Hour in 24h format (00-23), for example: 14. Zero-padded, space-padded, and non-padded hours
are supported.
'%I': Hour in 12h format (01-12), for example: 02. Zero-padded, space-padded and non-padded hours
are supported.
'%m': Month as a decimal number (01-12), for example: 08. Zero-padded, space-padded
and non-padded month numbers are supported.
'%M': Minute (00-59), for example: 55
'%p': AM or PM designation, for example: PM
'%S': Second (00-61), for example: 02
'%s': Total number of seconds from the UNIX epoch start, for example 1457940799
(represents '2016-03-14T07:33:19' timestamp)
'%Y': Year, for example: 2001
'%z': ISO 8601 offset from UTC in timezone (1 minute=1, 1 hour=100)., for example: +100
Additional specifiers are accepted by the timestamp parser, but their values are ignored and do not affect the parsed time.
'%C': Year divided by 100 and truncated to integer (00-99), for example: 20 '%g': Week-based year, last two digits (00-99), for example, 01 '%G': Week-based year, for example, 2001 '%j': Day of the year (001-366), for example: 235 '%u': ISO 8601 weekday as number with Monday as 1 (1-7), for example: 4 '%U': Week number with the first Sunday as the first day of week one (00-53), for example: 33 '%V': ISO 8601 week number (00-53), for example: 34 '%w': Weekday as a decimal number with Sunday as 0 (0-6), for example: 4 '%W': Week number with the first Monday as the first day of week one (00-53), for example: 34 '%y': Year, last two digits (00-99), for example: 01
If a format parameter is not defined, the Timestamp parser parses the timestamps using the default formats.
Automatic Timestamp Parser
timestamp in the
field_decoder. For example:
[parser|mycsv]
base_parser=csv
debug=yes
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "timestamp"}
A Timestamp Parser with the Default Configuration
This example shows a timestamp parser with a default configuration.
[parser|tsp_parser] base_parser=timestamp debug=no format=%Y-%m-%d %H:%M:%S%f
To integrate a timestamp parser with other parsers, for example the CSV parser, specify the following configuration.
[parser|mycsv]
base_parser=csv
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "tsp_parser"}
When this configuration is defined, mycsv parser extracts the fields with the names that are specified in the configuration, and runs tsp_parser on the content of the timestamp field. If tsp_parser retrieves a valid timestamp, the server uses that timestamp for the log message.
