How-To: Parse Unix Timestamps

When parsing timestamps from a variety of logs, you may need to parse a Unix timestamp in one of the following conditions:

  • Times have been converted or formatted from within the application, for example when using Java's DateTimeFormatter.

  • It may be unclear when to use format=unixtime with parseTimestamp()

  • Parsing of a Unix timestamp with, for example 1601622074.216300

  • Parser returns the error timestamp was not set to a value after 1971

In LogScale, the time at which an event occurred is stored in the field @timestamp. LogScale will automatically assign the current system time to @timestamp if the value was not assigned by the parser.

When using parseTimestamp() with unixtime, the parsing of a Unix timestamp must be explicitly configured. Without this setting, the parser will not look for unixtime within the @rawstring.

To ensure that the parser is looking for and parsing a Unix timestamp, use the format argument:

logscale
parseJson()
| parseTimestamp(field=ts, format="unixtime")