How-To: Parse Unix Timestamps

Last Updated: 2021-03-11

When parsing timestamps from a variety of logs, you may need to parse a Unix timestamp in one of the following conditions:

Times have been converted or formatted from within the application, for xample when using Java Datetimeformatter
It may be unclear when to use format=unixtime with parseTimestampt()
Parsing of a Unix timestamp with, for example 1601622074.216300
Parser returns the error timestamp was not set to a value after 1971

In LogScale, the time at which an event occurred is stored in the field @timestamp. LogScale will automatically assign the current system time to @timestamp if the value was not assigned by the parser.

When using parseTimestamp() with unixtime, the parsing of a Unix timestamp must be explicitly configured. Without this setting, the parser will not look for unixtime within the @rawstring.

To ensure that the parser is looking for and parsing a Unix timestamp, use the format argument:

parseJson() | parseTimestamp(field=ts, format="unixtime")

Falcon LogScale Documentation

Documentation

Reference Information

Knowledge Base

LogScale Notices

Release Notes

LogScale Training

How-To: Parse Unix Timestamps

Enter search term