Extract Timestamp
This topic describes how to use the function in the Splunk Data Stream Processor.
This function has been deprecated. Use the new Apply Timestamp Extraction function instead.
Description
The Extract Timestamp function parses body
for a timestamp using the first rule that matches, and outputs the parsed timestamp in the specified field.
Specifying a time zone is optional. If you do not specify a time zone, the time zone defaults to UTC.
Function Input/Output Schema
- Function Input
collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
collection<record<S>>
- This function outputs the same collection of records but with a different schema S.
Syntax
- extract_timestamp
- field = <field>
- rules = <rule-function>
Required arguments
- field
- Syntax: <field>
- Description: The name of the field to put the timestamp value in.
- Example in Canvas View: timestamp
- rules
- Syntax: <rule-function>
- Description: A list of timestamp rule functions to try matching your timestamp to. See the Timestamp rule functions section for a list of available functions.
- Example in Canvas View: iso8601_timestamp(), syslog_timestamp(), cisco_timestamp()
Timestamp rule functions
The following timestamp rules are available, and the first rule that matches is used.
Timestamp function | Timestamp example | Extracted Epoch time example |
---|---|---|
catalina_timestamp() |
Apr 15, 2010 1:51:22 AM org.apache.catalina.loader.WebappClassLoader validateJarFile |
1271296282000L
|
cisco_timestamp() |
Tag=49: Msg: May 9 2018 21:30:45.493: %IOSXE-4-PLATFORM: R0/0: kernel: hrtime |
1525901445493L
|
date_timestamp() |
12/31/2017-05:43:11.325 test_user Provider=any oledb provider's name;OledbKey1=someValue;OledbKey2=someValue; |
1514698991325L
|
eventlog_timestamp() |
20120623053423.123 Audit Success |
1340429663123L
|
haproxy_timestamp() |
127.0.0.1:39759 09/Dec/2013:12:59:46.633 loadbalancer default/instance8 0/51536/1/48082/99627 200 83285 |
1386593986633L
|
http_timestamp() |
04/May/2015:13:17:15 +0200 evita postfix/smtpd1713: connect from camomile.cloud9.net168.100.1.3 |
1430745435000L
|
iso8601_timestamp() |
2014-02-15T23:39:43.945958Z my-test-loadbalancer 192.168.131.39:2817 10.0.0.1:80 0.000073 0.001048 0.000057 200 200 0 29 \"GET http://www.example.com:80/ HTTP/1.1\" |
1392507583945L
|
nagios_timestamp() |
[1256314960] EXTERNAL COMMAND: PROCESS_SERVICE_CHECK_RESULT;hostname;servicename;0;Service running OK |
1256314960L
|
other_timestamp() |
Mon Aug 31 09:30:48 PST 2015 proxy_fcgi:error pid 28787:tid 140169587934976 (70008)Partial results are valid but processing is incomplete |
1441038648000L
|
redis_timestamp() |
"30200:C 06 May 21:25:10.186 * RDB: 6 MB of memory used by copy-on-write |
1557177910186L
|
rfc822_timestamp() |
<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - 12/Jan/2011:06:29:59 +0100 \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) |
1299096000000L
|
rfc2822_timestamp() |
Sat, 13 Mar 2010 11:29:05 -0800 |
1268508545000L
|
syslog_timestamp() |
May 11 15:17:02 meow.soy.se CRON10973: pam_unix(cron:session): session opened for user root by (uid=0) |
1557587822000L
|
syslog3164_timestamp() |
<34>Jan 12 06:30:00 2432 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] \"GET /foo/bar.html HTTP/1.1\" 301 96 \"-\" \"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) |
1557587822000L
|
tomcat_timestamp() |
2014-01-09 20:03:28,269 -0800 ERROR com.example.service.ExampleService - something completely unexpected happened... |
1389326608269L
|
Example
An example of a common use case follows. These examples assume that you have added the function to your pipeline.
SPL2 Example: Extract timestamps into the timestamp field
This example assumes that you are in the SPL View.
Extract timestamps with the iso8601, syslog, and cisco formats into the timestamp field.
...|extract_timestamp field=timestamp rules=[iso8601_timestamp(), syslog_timestamp(), cisco_timestamp()] |...;
Eval | Fields |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Feedback submitted, thanks!