Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF


On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Extract Timestamp

Parses body for a timestamp using the first rule that matches, and outputs the parsed timestamp in the specified field.

Specifying a time zone is optional. If you do not specify a time zone, the time zone defaults to UTC.

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<S>>
This function outputs the same collection of records but with a different schema S.

Rules

The following rules are available:

Timestamp name Timestamp example Extracted Epoch time example
catalina_timestamp Apr 15, 2010 1:51:22 AM org.apache.catalina.loader.WebappClassLoader validateJarFile 1271296282000L
cisco_timestamp Tag=49: Msg: May 9 2018 21:30:45.493: %IOSXE-4-PLATFORM: R0/0: kernel: hrtime 1525901445493L
date_timestamp 12/31/2017-05:43:11.325 test_user Provider=any oledb provider's name;OledbKey1=someValue;OledbKey2=someValue; 1514698991325L
eventlog_timestamp 20120623053423.123 Audit Success 1340429663123L
haproxy_timestamp 127.0.0.1:39759 09/Dec/2013:12:59:46.633 loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 1386593986633L
http_timestamp 04/May/2015:13:17:15 +0200 evita postfix/smtpd1713: connect from camomile.cloud9.net168.100.1.3 1430745435000L
iso8601_timestamp 2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\" 1392507583945L
nagios_timestamp 1427925600 CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms 1427925600L
other_timestamp Mon Aug 31 09:30:48 PST 2015 proxy_fcgi:error pid 28787:tid 140169587934976 (70008)Partial results are valid but processing is incomplete 1441038648000L
redis_timestamp "30200:C 06 May 21:25:10.186 * RDB: 6 MB of memory used by copy-on-write 1557177910186L
rfc822_timestamp <34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - 12/Jan/2011:06:29:59 +0100 \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) 1299096000000L
rfc2822_timestamp Sat Mar 02 2011 15:00:00 EST 1547274600000L
syslog_timestamp May 11 15:17:02 meow.soy.se CRON10973: pam_unix(cron:session): session opened for user root by (uid=0) 1557587822000L
syslog3164_timestamp <34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) 1557587822000L
tomcat_timestamp 2014-01-09 20:03:28,269 -0800 ERROR com.example.service.ExampleService - something completely unexpected happened... 1389326608269L

Arguments

Argument Input Description UI example
Field string The name of the field to put the timestamp value in. time
Rules collection<long> A list of rules to try matching your timestamp to cisco_timestamp();

DSL example

records = read-splunk-firehose();
events-with-timestamp = extract_timestamp(
records,
"timestamp",
cisco_timestamp(),
iso8601_timestamp(),
rfc2822_timestamp(),
syslog_timestamp()
);
write-index(events-with-timestamp, "", "main"); 
Last modified on 02 January, 2020
PREVIOUS
Eval
  NEXT
Fields

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters