timestamp 剖析器不會產生欄位,而是會將其輸入從字串轉換成以毫秒顯示的內部時間戳記格式 (自 UNIX epoch 起始,即,1970 年 1 月 1 日 (午夜 UTC/GMT) 起始)。
唯一支援的組態選項為 format。例如, format=%Y-%m-%d %H:%M:%S。
與 CLF 剖析器不同,timestamp 剖析器可以剖析時間規範之間沒有分隔符號的時間,例如 %A%B%d%H%M%S%Y%z。
timestamp 剖析器使用的格式規範如下:
'%a': Abbreviated weekday name, for example: Thu
'%A': Full weekday name, for example: Thursday
'%b': Abbreviated month name, for example: Aug
'%B': Full month name, for example: August
'%d': Day of the month, for example: 23. strftime() expects zero-padded (01-31) digits
for this specifier but Log Insight agents can parse space-padded and non-padded
day numbers, too.
'%e': Day of the month, for example: 13. strftime() expects space-padded ( 1-31) digits
for this specifier but Log Insight agents can parse zero-padded and non-padded
day numbers too.
'%f': Fractional seconds of time, for example: .036 'f' specifier assumes that '.' or ','
character should exist before fractional seconds and there is no need to mention
that character in the format. If none of these characters precedes fractional seconds,
timestamp wouldn't be parsed.
'%H': Hour in 24h format (00-23), for example: 14. Zero-padded, space-padded, and non-padded hours
are supported.
'%I': Hour in 12h format (01-12), for example: 02. Zero-padded, space-padded and non-padded hours
are supported.
'%m': Month as a decimal number (01-12), for example: 08. Zero-padded, space-padded
and non-padded month numbers are supported.
'%M': Minute (00-59), for example: 55
'%p': AM or PM designation, for example: PM
'%S': Second (00-61), for example: 02
'%s': Total number of seconds from the UNIX epoch start, for example 1457940799
(represents '2016-03-14T07:33:19' timestamp)
'%Y': Year, for example: 2001
'%z': ISO 8601 offset from UTC in timezone (1 minute=1, 1 hour=100)., for example: +100
其他規範可由時間戳記剖析器接受,但其值會忽略且不會影響剖析的時間。
'%C': Year divided by 100 and truncated to integer (00-99), for example: 20 '%g': Week-based year, last two digits (00-99), for example, 01 '%G': Week-based year, for example, 2001 '%j': Day of the year (001-366), for example: 235 '%u': ISO 8601 weekday as number with Monday as 1 (1-7), for example: 4 '%U': Week number with the first Sunday as the first day of week one (00-53), for example: 33 '%V': ISO 8601 week number (00-53), for example: 34 '%w': Weekday as a decimal number with Sunday as 0 (0-6), for example: 4 '%W': Week number with the first Monday as the first day of week one (00-53), for example: 34 '%y': Year, last two digits (00-99), for example: 01
如果未定義 format 參數,Timestamp 剖析器會使用預設格式剖析時間戳記。
自動時間戳記剖析器
未針對時間戳記剖析器定義格式時會叫用自動時間戳記剖析器,或透過在
field_decoder 中使用
timestamp 來直接叫用剖析器,而無需定義時間戳記剖析器。例如:
[parser|mycsv]
base_parser=csv
debug=yes
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "timestamp"}
具有預設組態的時間戳記剖析器
此範例顯示具有預設組態的 timestamp 剖析器。
[parser|tsp_parser] base_parser=timestamp debug=no format=%Y-%m-%d %H:%M:%S%f
若要將 timestamp 剖析器與其他剖析器 (例如 CSV 剖析器) 整合,請指定下列組態。
[parser|mycsv]
base_parser=csv
fields=timestamp,action,source_id,dest
field_decoder={"timestamp": "tsp_parser"}
定義此組態後,mycsv 剖析器會擷取具有組態中指定之名稱的欄位,並針對 timestamp 欄位的內容執行 tsp_parser。如果 tsp_parser 擷取了有效時間戳記,伺服器會將此時間戳記用於記錄訊息。