On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Extract Timestamp
Parses body for a timestamp using the first rule that matches, and outputs the parsed timestamp in the specified field.
Specifying a time zone is optional. If you do not specify a time zone, the time zone defaults to UTC.
- Function Input
collection<record<R>>- This function takes in collections of records with schema R.
- Function Output
collection<record<S>>- This function outputs the same collection of records but with a different schema S.
Rules
The following rules are available:
| Timestamp name | Timestamp example | Extracted Epoch time example |
|---|---|---|
catalina_timestamp |
Apr 15, 2010 1:51:22 AM org.apache.catalina.loader.WebappClassLoader validateJarFile |
1271296282000L
|
cisco_timestamp |
Tag=49: Msg: May 9 2018 21:30:45.493: %IOSXE-4-PLATFORM: R0/0: kernel: hrtime |
1525901445493L
|
date_timestamp |
12/31/2017-05:43:11.325 test_user Provider=any oledb provider's name;OledbKey1=someValue;OledbKey2=someValue; |
1514698991325L
|
eventlog_timestamp |
20120623053423.123 Audit Success |
1340429663123L
|
haproxy_timestamp |
127.0.0.1:39759 09/Dec/2013:12:59:46.633 loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 |
1386593986633L
|
http_timestamp |
04/May/2015:13:17:15 +0200 evita postfix/smtpd1713: connect from camomile.cloud9.net168.100.1.3 |
1430745435000L
|
iso8601_timestamp |
2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\" |
1392507583945L
|
nagios_timestamp |
1427925600 CURRENT HOST STATE: nagioshost;UP;HARD;1;PING OK - Packet loss = 0%, RTA = 2.24 ms |
1427925600L
|
other_timestamp |
Mon Aug 31 09:30:48 PST 2015 proxy_fcgi:error pid 28787:tid 140169587934976 (70008)Partial results are valid but processing is incomplete |
1441038648000L
|
redis_timestamp |
"30200:C 06 May 21:25:10.186 * RDB: 6 MB of memory used by copy-on-write |
1557177910186L
|
rfc822_timestamp |
<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - 12/Jan/2011:06:29:59 +0100 \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) |
1299096000000L
|
rfc2822_timestamp |
Sat Mar 02 2011 15:00:00 EST |
1547274600000L
|
syslog_timestamp |
May 11 15:17:02 meow.soy.se CRON10973: pam_unix(cron:session): session opened for user root by (uid=0) |
1557587822000L
|
syslog3164_timestamp |
<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) |
1557587822000L
|
tomcat_timestamp |
2014-01-09 20:03:28,269 -0800 ERROR com.example.service.ExampleService - something completely unexpected happened... | 1389326608269L
|
Arguments
| Argument | Input | Description | UI example |
|---|---|---|---|
| Field | string | The name of the field to put the timestamp value in. | time |
| Rules | collection<long> | A list of rules to try matching your timestamp to | cisco_timestamp();
|
DSL example
records = read-splunk-firehose(); events-with-timestamp = extract_timestamp( records, "timestamp", cisco_timestamp(), iso8601_timestamp(), rfc2822_timestamp(), syslog_timestamp() ); write-index(events-with-timestamp, "", "main");
Last modified on 02 January, 2020
| Eval | Fields |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1
Download manual
Feedback submitted, thanks!