Cribl - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF

    Documentation

Auto Timestamp

Description


The Auto Timestamp function extracts time to a destination field given a source field in the event.

Usage


Filter: Filter expression (JS) that selects data to be fed through the function. Defaults to empty - all events will be evaluated.
Description: Simple description about this function. Defaults to empty.
Final: If true, stops data from being fed to the downstream functions. Defaults to No.

Source Field: Field to search for a timestamp. Defaults to _raw.
Destination Field: Field to place extracted timestamp in. Defaults to _time. Nested addressing supported.
Default Timezone: Timezone to parse timestamps lacking timezone info. Defaults to Local.

Advanced Settings


Time Expression: Expression to use to format extracted time. Current time, as a Javascript Date object, is in global time. Defaults to time.getTime() / 1000.
Max Timestamp Scan Depth: Maximum string length where to look for a timestamp.

Additional Timestamps: Add Regex/Strptime pairs to extract additional timestamp formats.

  • Regex: Regex with first capturing group matching the timestamp.
  • Strptime Format: Timestamp in strptime format.

Format Reference:

https://github.com/d3/d3-time-format#locale_format

%a - abbreviated weekday name.*
%A - full weekday name.*
%b - abbreviated month name.*
%B - full month name.*
%c - the locale’s date and time, such as %x, %X.*
%d - zero-padded day of the month as a decimal number [01,31].
%e - space-padded day of the month as a decimal number [ 1,31]; equivalent to %_d.
%f - microseconds as a decimal number [000000, 999999].
%H - hour (24-hour clock) as a decimal number [00,23].
%I - hour (12-hour clock) as a decimal number [01,12].
%j - day of the year as a decimal number [001,366].
%m - month as a decimal number [01,12].
%M - minute as a decimal number [00,59].
%L - milliseconds as a decimal number [000, 999].
%p - either AM or PM.*
%Q - milliseconds since UNIX epoch.
%s - seconds since UNIX epoch.
%S - second as a decimal number [00,61].
%u - Monday-based (ISO 8601) weekday as a decimal number [1,7].
%U - Sunday-based week of the year as a decimal number [00,53].
%V - ISO 8601 week of the year as a decimal number [01, 53].
%w - Sunday-based weekday as a decimal number [0,6].
%W - Monday-based week of the year as a decimal number [00,53].
%x - the locale’s date, such as %-m/%-d/%Y.*
%X - the locale’s time, such as %-I:%M:%S %p.*
%y - year without century as a decimal number [00,99].
%Y - year with century as a decimal number.
%Z - time zone offset, such as -0700, -07:00, -07, or Z.
%% - a literal percent sign (%).

Directives marked with an asterisk (*) may be affected by the locale definition.

Auto Timestamp


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.