Finds a timestamp in the given field and parses it, trying different
formats for timestamps. The function returns the first timestamp in the
field that matches one of its formats. It only finds timestamp starting
within the first 128 characters of the text (configurable in variable
MAX_CHARS_TO_FIND_TIMESTAMP).
This function is primarily meant to be used in generic parsers that can be
used for different event types. If the format of the timestamp is known,
consider using the parseTimestamp() function instead.
The function supports the following formats:
year month day hour minute second [subsecond] [timezone]
month day [year] hour minute second [subsecond] [timezone]
month day hour minute second [subsecond] [timezone] year4
day monthLetter [year4] hour minute second [subsecond] [timezone]
hour minute second [subsecond] [timezone]
epochsecond [subsecond]
Values within brackets (e.g.[timezone]) are optional.
The different formats are described as follows:
| Type | Description |
|---|---|
| year | The year with either two or four digits. |
| year4 | The year with four digits. |
| month | The month as two digits or three letters (e.g., 01 or Jan). |
| monthLetter | The month as three letters (e.g., Jan) |
| day | The day as two digits. |
| hour | The hour as two digits (0-23 or 1-12). |
| minute | The minutes as two digits. |
| second | The seconds as two digits. |
| subsecond | The sub-seconds as one to nine digits, for Unix epoch time only 3, 6 or 9 digits. |
| timezone | The timezone as either a named timezone (e.g. UTC or America/New_York) or an offset (e.g. UTC+12:30). |
| epochsecond | The seconds since Unix epoch (01-01-1970 00:00:00 UTC) as 10 digits. |
If the timezone is missing, the timezone parameter
is used.
Note
If timestamps are written in a timezone with Daylight Saving Time, it is
recommended that the timezone parameter is
specified and written as an offset. Otherwise, when switching from
Daylight Saving Time to Standard Time, there is no way to differentiate
between the last hour before the switch and the first hour after.
If the date (year,
month and
day) is missing, today's date is used if
the time is at most 10 minutes into the future; otherwise, yesterday's
date is used.
If the year is missing, the largest of last year, this year and next year is used so that the date is at most 7 days into the future.
If the year is only two digits, it is assumed to be between 2013 and 2099.
If you need to parse dates before 2013 with only two digits for year, use
the parseTimestamp() function instead.
Leap seconds are ignored, so 60 seconds is converted to 59 seconds.
Up to 9 digits of sub seconds are accepted, but since timestamps are stored with millisecond precision, only the first 3 digits are used.
If a timestamp is found, two fields are added to the event: one contains
the parsed timestamp in milliseconds since Unix epoch (01-01-1970 00:00:00
UTC) and gets its name from the as parameter; the
other contains the parsed timezone, if available, and otherwise the
timezone parameter, and gets its name from the
timezoneAs parameter.
Function Traits: Transformation
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
addErrors | boolean | optional | true | Whether to add an error field to the event, if it was not possible to find a timestamp. |
as | string | optional | @timestamp | The output field that will contain the parsed timestamp. The timestamp is represented as milliseconds since Unix epoch (01-01-1970 00:00:00 UTC). LogScale expects to find the timestamp for the event in the field @timestamp , so do not set this parameter to anything else in a parser. |
field | string | optional | @rawstring | The field to search for a timestamp. |
timezone | string | optional | If the timestamp does not contain a timezone and this parameter is not set, then the timestamp will not be parsed. The timezone can be specified as a named timezone or as an offset. Examples are Europe/London, America/New_York, UTC or UTC+12:30. See the full list of timezones supported by LogScale at Supported Timezones. | |
timezoneAs | string | optional | @timezone | The output field that will contain the parsed timezone. LogScale expects to find the timezone for the event in the field @timezone , so do not set this parameter to anything else in a parser. |
findTimestamp() Examples
In a parser with UTC set as the
timezone.
findTimestamp(timezone="UTC")
In a parser with America/New_York set as
the timezone.
findTimestamp(timezone="America/New_York")In a parser where the timestamp is located in a field named date.
findTimestamp(field=date, timezone="Europe/London")In a query function where the timestamp should be stored in a field datetime and the timezone in a field tz.
findTimestamp(as="datetime", timezoneAs="tz")