Log Insight 3.0 Agents: Timestamp Parser

A different kind of parser available is the timestamp parser. Read to learn how it works!

li-agent

How the Parser Works

The timestamp parser is unique from the rest of the parsers in that it only makes sense to use the timestamp parser on a subset of an actual event. The reason for this is because an event contains more than a timestamp. The first question to answer is why would you want to use this option? The reason is for when you wish to use the time within an event instead of the time on the client or the time on the Log Insight server. This makes it possible to trust the time within the event — something that Log Insight does not do by default (intentionally). Remember that by default Log Insight uses server time during ingestion of events for timestamps. If an agent is used and the agent client time is within 10 minutes the agent client time is used instead of the server-time. If the agent cannot process events real-time then the timestamp parser makes it possible to properly set the timestamp on ingested events. Again, the timestamp parser time must be within 10 minutes of the Log Insight server time.

Basic Example

To use timestamp parser you need to leverage a field_decoder. For example:

Advanced Example

By default, the timestamp parser has built-in knowledge about a variety of timestamp formats and can parse them automatically. If the parsing does not work automatically, you can see the format option. For example:

All of the supported format options are listed below.

Summary

As you can see, the timestamp parser provides additional agent functionality around how timestamps are handled server-side. While a variety of timestamp format are built into the parser, the format option can be used to support and timestamp format. Remember that the timestamp parser is unique in that it only works for a subset of an event. Have you tried the timestamp parser?

© 2015, Steve Flanders. All rights reserved.

Leave a Reply