How can all timestamps in a message be converted like the first?

Follow
Avatar
Neal McConnell

By default, when Sumo parses logs, it sets the message timestamps by automatically parsing log entries. I see only the first timestamp in a log entry is converted. My logs have more than one timestamp entry per message, in the following format: "2014-08-01 09:15:38.520 -0700".

Since the format is recognized and automatically converted, how can all timestamps in a message be converted like the first?

 

I failed with manual attempts, like below, but I'm not familiar with the correct syntax.

   | parse field=end_time "yyyy-MM-dd HH:mm:ss.SSS ZZZZ" as end_time_mod

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Dwayne Hoover

    Here is an example using a few unpublished operators:

    * | parse regex "^(?<new\_date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s).+$"

    | toMillis(parseDate(new_date,"yyyy-MM-dd HH:mm:ss")) as etime

    | formatDate(fromMillis(toLong(etime)),"yyyy-MM-dd HH:mm:ss.SSS ZZZZ") as end_time_mod

    A quick tour of what's happening:

    I'm using a parse regex to pull out the date.  This could be the true timestamp or a secondary date, for illustration purposes, I'm grabbing the first date in the log message.

    I'm using parseDate to convert the date that I extracted into a numerical representation of the date.  I am also using the toMillis function to convert it into a millisecond date format.

    I can then use the formatDate operator to to convert the millisecond based date into a string (of any Java compliant format)

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post