Extract Timestamp

This topic describes how to use the function in the Splunk Data Stream Processor.

Description

Parses body for a timestamp using the first rule that matches, and outputs the parsed timestamp in the specified field.

Specifying a time zone is optional. If you do not specify a time zone, the time zone defaults to UTC.

Function Input/Output Schema

Function Input: collection<record<R>>; This function takes in collections of records with schema R.
Function Output: collection<record<S>>; This function outputs the same collection of records but with a different schema S.

Syntax

extract_timestamp: field = <field>; rules = <rule-function>

Required arguments

field: Syntax: <field>; Description: The name of the field to put the timestamp value in.
rules: Syntax: <rule-function>; Description: A list of timestamp rule functions to try matching your timestamp to.

Timestamp rule functions

The following timestamp rules are available, and the first rule that matches is used.

Timestamp function	Timestamp example	Extracted Epoch time example
`catalina_timestamp()`	`Apr 15, 2010 1:51:22 AM org.apache.catalina.loader.WebappClassLoader validateJarFile`	`1271296282000L`
`cisco_timestamp()`	`Tag=49: Msg: May 9 2018 21:30:45.493: %IOSXE-4-PLATFORM: R0/0: kernel: hrtime`	`1525901445493L`
`date_timestamp()`	`12/31/2017-05:43:11.325 test_user Provider=any oledb provider's name;OledbKey1=someValue;OledbKey2=someValue;`	`1514698991325L`
`eventlog_timestamp()`	`20120623053423.123 Audit Success`	`1340429663123L`
`haproxy_timestamp()`	`127.0.0.1:39759 09/Dec/2013:12:59:46.633 loadbalancer default/instance8 0/51536/1/48082/99627 200 83285`	`1386593986633L`
`http_timestamp()`	`04/May/2015:13:17:15 +0200 evita postfix/smtpd1713: connect from camomile.cloud9.net168.100.1.3`	`1430745435000L`
`iso8601_timestamp()`	`2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\"`	`1392507583945L`
`nagios_timestamp()` This function only works with nagios timestamps bounded by brackets ( [ ] ) and can't be applied to generic epoch timestamps such as nessus or linux auditd.	`[1256314960] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;hostname;servicename;0;Service running OK`	`1256314960L`
`other_timestamp()`	`Mon Aug 31 09:30:48 PST 2015 proxy_fcgi:error pid 28787:tid 140169587934976 (70008)Partial results are valid but processing is incomplete`	`1441038648000L`
`redis_timestamp()`	`"30200:C 06 May 21:25:10.186 * RDB: 6 MB of memory used by copy-on-write`	`1557177910186L`
`rfc822_timestamp()`	`<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - 12/Jan/2011:06:29:59 +0100 \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12)`	`1299096000000L`
`rfc2822_timestamp()`	`Sat, 13 Mar 2010 11:29:05 -0800`	`1268508545000L`
`syslog_timestamp()`	`May 11 15:17:02 meow.soy.se CRON10973: pam_unix(cron:session): session opened for user root by (uid=0)`	`1557587822000L`
`syslog3164_timestamp()`	`<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12)`	`1557587822000L`
`tomcat_timestamp()`	`2014-01-09 20:03:28,269 -0800 ERROR com.example.service.ExampleService - something completely unexpected happened...`	`1389326608269L`

SPL2 example

Extract timestamps with the iso8601, syslog, and cisco formats into the timestamp field.

...|extract_timestamp field=timestamp rules=[iso8601_timestamp(), syslog_timestamp(), cisco_timestamp()] |...;

Related answers from Splunk Community

Extract Timestamp

Description

Function Input/Output Schema

Syntax

Required arguments

Timestamp rule functions

SPL2 example

Extract timestamps with the iso8601, syslog, and cisco formats into the timestamp field.

Comments

Extract Timestamp

Was this topic useful?