Format Timestamp as ISO 8601 Using Shorthand Notation

Convert Unix epoch timestamp to ISO 8601 format using the formatTime() function with shorthand notation

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result
logscale
timestamp_iso8601 := formatTime("%FT%T%z", field=@timestamp)

Introduction

The formatTime() function can be used to format Unix epoch timestamp values into specific date-time formats using format specifiers. It is particularly useful for converting Unix timestamps into human-readable formats, including the widely-used ISO 8601 standard.

In this example, the formatTime() function is used to convert Unix epoch millisecond timestamps into ISO 8601 formatted date-time strings using a shorthand format pattern %FT%T%z instead of the more detailed format string %Y-%m-%dT%H:%M:%S%z.

Both produce identical output following the pattern "YYYY-MM-DDThh:mm:ss±hhmm" where:

  • YYYY represents the four-digit year.

  • MM represents the two-digit month (01-12).

  • DD represents the two-digit day of the month (01-31).

  • T is the literal character separating the date and time.

  • hh:mm:ss represents hours, minutes, and seconds.

  • ±hhmm represents the timezone offset from UTC.

Example incoming data might look like this:

@timestampevent_typeserver_idstatus_code
1774061787000startupsrv-001200
1774061787100configuration_loadedsrv-001200
1774061787200service_startedsrv-001200
1774061787300connection_establishedsrv-001201
1774061787400readysrv-001200
1774061787500processingsrv-001200
1774061787600task_completedsrv-001200

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    timestamp_iso8601 := formatTime("%FT%T%z", field=@timestamp)

    Creates a new field named timestamp_iso8601 containing the ISO 8601 formatted timestamp. The format string uses these shorthand specifiers %FT%T%z instead of the longer format %Y-%m-%dT%H:%M:%S%z:

    • %F - Equivalent to %Y-%m-%d (full date).

    • T - Literal 'T' separator.

    • %T - Equivalent to %H:%M:%S (time).

    • %z - Timezone offset in +hhmm or -hhmm format.

    The field parameter specifies @timestamp as the source field to format.

  3. Event Result set.

Summary and Results

The query is used to convert Unix epoch millisecond timestamps into the standardized ISO 8601 date-time format using a concise format pattern.

This query is useful, for example, to standardize timestamp representations for international data exchange, API integration, or compliance with systems requiring ISO 8601 format.

Sample output from the incoming example data:

@timestampevent_typeserver_idstatus_codetimestamp_iso8601
1774061787000startupsrv-0012002026-03-16T20:23:07+0000
1774061787100configuration_loadedsrv-0012002026-03-16T20:23:07+0000
1774061787200service_startedsrv-0012002026-03-16T20:23:07+0000
1774061787300connection_establishedsrv-0012012026-03-16T20:23:07+0000
1774061787400readysrv-0012002026-03-16T20:23:07+0000
1774061787500processingsrv-0012002026-03-16T20:23:07+0000
1774061787600task_completedsrv-0012002026-03-16T20:23:07+0000

The timezone offset (+0000) indicates UTC time zone, as LogScale internally processes timestamps in UTC.

The millisecond precision from the original Unix epoch timestamp is not included in the ISO 8601 output, as the format string does not specify millisecond formatting.

Note that both format patterns (%FT%T%z and %Y-%m-%dT%H:%M:%S%z) produce identical results.