Splunk® Data Stream Processor

Function Reference

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

Extract Timestamp

This topic describes how to use the function in the Splunk Data Stream Processor.

This function has been deprecated. Use the new Apply Timestamp Extraction function instead.

Description

The Extract Timestamp function parses body for a timestamp using the first rule that matches, and outputs the parsed timestamp in the specified field.

Specifying a time zone is optional. If you do not specify a time zone, the time zone defaults to UTC.

Function Input/Output Schema

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<S>>
This function outputs the same collection of records but with a different schema S.

Syntax

extract_timestamp
field = <field>
rules = <rule-function>

Required arguments

field
Syntax: <field>
Description: The name of the field to put the timestamp value in.
Example in Canvas View: timestamp
rules
Syntax: <rule-function>
Description: A list of timestamp rule functions to try matching your timestamp to. See the Timestamp rule functions section for a list of available functions.
Example in Canvas View: iso8601_timestamp(), syslog_timestamp(), cisco_timestamp()

Timestamp rule functions

The following timestamp rules are available, and the first rule that matches is used.

Timestamp function Timestamp example Extracted Epoch time example
catalina_timestamp() Apr 15, 2010 1:51:22 AM org.apache.catalina.loader.WebappClassLoader validateJarFile 1271296282000L
cisco_timestamp() Tag=49: Msg: May 9 2018 21:30:45.493: %IOSXE-4-PLATFORM: R0/0: kernel: hrtime 1525901445493L
date_timestamp() 12/31/2017-05:43:11.325 test_user Provider=any oledb provider's name;OledbKey1=someValue;OledbKey2=someValue; 1514698991325L
eventlog_timestamp() 20120623053423.123 Audit Success 1340429663123L
haproxy_timestamp() 127.0.0.1:39759 09/Dec/2013:12:59:46.633 loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 1386593986633L
http_timestamp() 04/May/2015:13:17:15 +0200 evita postfix/smtpd1713: connect from camomile.cloud9.net168.100.1.3 1430745435000L
iso8601_timestamp() 2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\" 1392507583945L
nagios_timestamp() [1256314960] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;hostname;servicename;0;Service running OK 1256314960L
other_timestamp() Mon Aug 31 09:30:48 PST 2015 proxy_fcgi:error pid 28787:tid 140169587934976 (70008)Partial results are valid but processing is incomplete 1441038648000L
redis_timestamp() "30200:C 06 May 21:25:10.186 * RDB: 6 MB of memory used by copy-on-write 1557177910186L
rfc822_timestamp() <34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - 12/Jan/2011:06:29:59 +0100 \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) 1299096000000L
rfc2822_timestamp() Sat, 13 Mar 2010 11:29:05 -0800 1268508545000L
syslog_timestamp() May 11 15:17:02 meow.soy.se CRON10973: pam_unix(cron:session): session opened for user root by (uid=0) 1557587822000L
syslog3164_timestamp() <34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) 1557587822000L
tomcat_timestamp() 2014-01-09 20:03:28,269 -0800 ERROR com.example.service.ExampleService - something completely unexpected happened... 1389326608269L

Example

An example of a common use case follows. These examples assume that you have added the function to your pipeline.

SPL2 Example: Extract timestamps into the timestamp field

This example assumes that you are in the SPL View.

Extract timestamps with the iso8601, syslog, and cisco formats into the timestamp field.

...|extract_timestamp field=timestamp rules=[iso8601_timestamp(), syslog_timestamp(), cisco_timestamp()] |...;
Last modified on 28 October, 2021
Eval   Fields

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters