Crib LogStream - Docs

Getting started with Cribl LogStream

Questions? We'd love to help you! Meet us in #cribl (sign up)
Download manual as PDF - v2.1

    Docs Home

Auto Timestamp

Description


The Auto Timestamp function extracts time to a destination field given a source field in the event.

Usage


Filter: Filter expression (JS) that selects data to be fed through the function. Defaults to empty - all events will be evaluated.
Description: Simple description about this function. Defaults to empty.
Final: If true, stops data from being fed to the downstream functions. Defaults to No.

Source Field: Field to search for a timestamp. Defaults to _raw.
Destination Field: Field to place extracted timestamp in. Defaults to _time. Nested addressing supported.
Default Timezone: Timezone to parse timestamps lacking timezone info. Defaults to Local.

Advanced Settings


Time Expression: Expression to use to format extracted time. Current time, as a Javascript Date object, is in global time. Defaults to time.getTime() / 1000.
Max Timestamp Scan Depth: Maximum string length where to look for a timestamp.

Additional Timestamps: Add Regex/Strptime pairs to extract additional timestamp formats.

  • Regex: Regex with first capturing group matching the timestamp.
  • Strptime Format: Timestamp in strptime format.

Format Reference:

https://github.com/d3/d3-time-format#locale_format

%a - abbreviated weekday name.*
%A - full weekday name.*
%b - abbreviated month name.*
%B - full month name.*
%c - the locale’s date and time, such as %x, %X.*
%d - zero-padded day of the month as a decimal number [01,31].
%e - space-padded day of the month as a decimal number [ 1,31]; equivalent to %_d.
%f - microseconds as a decimal number [000000, 999999].
%H - hour (24-hour clock) as a decimal number [00,23].
%I - hour (12-hour clock) as a decimal number [01,12].
%j - day of the year as a decimal number [001,366].
%m - month as a decimal number [01,12].
%M - minute as a decimal number [00,59].
%L - milliseconds as a decimal number [000, 999].
%p - either AM or PM.*
%Q - milliseconds since UNIX epoch.
%s - seconds since UNIX epoch.
%S - second as a decimal number [00,61].
%u - Monday-based (ISO 8601) weekday as a decimal number [1,7].
%U - Sunday-based week of the year as a decimal number [00,53].
%V - ISO 8601 week of the year as a decimal number [01, 53].
%w - Sunday-based weekday as a decimal number [0,6].
%W - Monday-based week of the year as a decimal number [00,53].
%x - the locale’s date, such as %-m/%-d/%Y.*
%X - the locale’s time, such as %-I:%M:%S %p.*
%y - year without century as a decimal number [00,99].
%Y - year with century as a decimal number.
%Z - time zone offset, such as -0700, -07:00, -07, or Z.
%% - a literal percent sign (%).

Directives marked with an asterisk (*) may be affected by the locale definition.

Updated 5 months ago

Auto Timestamp


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.