Finds a timestamp in the given field and parses it, trying different formats for timestamps. The function returns the first timestamp in the field that matches one of its formats. The function only finds timestamps starting within the first 128 characters of the text.
Self-hosted customers can adjust this behaviour setting the
variable MAX_CHARS_TO_FIND_TIMESTAMP.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
addErrors | boolean | optional[a] | true | Whether to add an error field to the event, if it was not possible to find a timestamp. |
as | string | optional[a] | @timestamp | The output field that will contain the parsed timestamp. The timestamp is represented as milliseconds since Unix epoch (01-01-1970 00:00:00 UTC). LogScale expects to find the timestamp for the event in the field @timestamp , so do not set this parameter to anything else in a parser. |
field | string | optional[a] | @rawstring | The field to search for a timestamp. |
timezone | string | optional[a] | If the timestamp does not contain a timezone and this parameter is not set, then the timestamp will not be parsed. The timezone can be specified as a named timezone or as an offset. Examples are Europe/London, America/New_York, UTC or UTC+12:30. See the full list of timezones supported by LogScale at Supported Time Zones. | |
timezoneAs | string | optional[a] | @timezone | The output field that will contain the parsed timezone. LogScale expects to find the timezone for the event in the field @timezone , so do not set this parameter to anything else in a parser. |
[a] Optional parameters use their default value unless explicitly set. | ||||
This function is primarily meant to be used in generic parsers
that can be used for different event types. If the format of the
timestamp is known, consider using the
parseTimestamp() function instead.
The function supports the following formats:
year month day hour minute second [subsecond] [timezone]month day [year] hour minute second [subsecond] [timezone]month day hour minute second [subsecond] [timezone] year4day monthLetter [year4] hour minute second [subsecond] [timezone]hour minute second [subsecond] [timezone]epochsecond [subsecond]
Values within brackets (for example,
[timezone]) are optional.
The different formats are described as follows:
| Type | Description |
|---|---|
year
| The year with either two or four digits. |
year4
| The year with four digits. |
month
| The month as two digits or three letters (for example, 01 or Jan). |
monthLetter
| The month as three letters (for example, Jan) |
day
| The day as two digits. |
hour
| The hour as two digits (0-23 or 1-12). |
minute
| The minutes as two digits. |
second
| The seconds as two digits. |
subsecond
| The sub-seconds as one to nine digits, for Unix epoch time only 3, 6 or 9 digits. |
timezone
| The time zone as either a named timezone (for example, UTC or America/New_York) or an offset (for example, UTC+12:30). |
epochsecond
| The seconds since Unix epoch (01-01-1970 00:00:00 UTC) as 10 digits. |
Additional notes:
If the time zone is missing, the
timezoneparameter is used.Note
If timestamps are written in a time zone with Daylight Saving Time, it is recommended that the
timezoneparameter is specified and written as an offset. Otherwise, when switching from Daylight Saving Time to Standard Time, there is no way to differentiate between the last hour before the switch and the first hour after.If the date (
year,monthandday) is missing, the current date is used if the time is at most 10 minutes into the future; otherwise, the previous days date is used.If the
yearis missing, the largest of last year, this year and next year is used so that the date is at most 7 days into the future.If the
yearis only two digits, it is assumed to be between 2013 and 2099. If you need to parse dates before 2013 with only two digits for year, use theparseTimestamp()function instead.Leap seconds are ignored, so 60 seconds is converted to 59 seconds.
Up to 9 digits of subseconds are accepted, but since timestamps are stored with millisecond precision, only the first 3 digits are used.
If a timestamp is found, two fields are added to the event: one contains the parsed timestamp in milliseconds since Unix epoch (01-01-1970 00:00:00 UTC) and gets its name from the
asparameter; the other contains the parsed timezone, if available, and otherwise thetimezoneparameter, and gets its name from thetimezoneAsparameter.
findTimestamp() Syntax Examples
In a parser with UTC set as
the timezone.
findTimestamp(timezone="UTC")
In a parser with
America/New_York set as the
timezone.
findTimestamp(timezone="America/New_York")In a parser where the timestamp is located in a field named date.
findTimestamp(field=date, timezone="Europe/London")In a query function where the timestamp should be stored in a field datetime and the timezone in a field tz.
findTimestamp(as="datetime", timezoneAs="tz")