Timestamps
Default supported timestamps
preq automatically detects the following timestamp formats (see config.go):
- Example:
{"level":"error","error":"context deadline exceeded","time":1744570895480541,"caller":"server.go:462"} - Example:
2006-01-02T15:04:05Z07:00 <log message> - Example:
2006/01/02 03:04:05 <log message> - Example:
2006-01-02 15:04:05.000 <log message> - Example:
Jan 2 15:04:05 <log message> - Example:
2006-01-02 15:04:05 <log message> - Example:
I0102 15:04:05.000000 <log message> - Example:
[2006-01-02 15:04:05,000] <log message> - Example:
2006-01-02 15:04:05.000000-0700 <log message> - Example:
2006/01/02 15:04:05 <log message> - Example:
01/02/2006, 15:04:05 <log message> - Example:
02 Jan 2006 15:04:05.000 <log message> - Example:
2006 Jan 02 15:04:05.000 <log message> - Example:
02/Jan/2006:15:04:05.000 <log message> - Example:
01/02/2006 03:04:05 PM <log message> - Example:
2006 Jan 02 15:04:05 <log message> - Example:
2006-01-02 15:04:05.000 <log message> - Example:
{"timestamp":"2025-03-26T14:01:02Z","level":"info", "message":"..."} - Example:
{"ts":"2025-03-26T14:01:02Z","level":"info", "message":"..."} - Example:
[7] 2025/04/25 02:01:04.339092 [ERR] 10.0.6.53:27827 - cid:10110160 - TLS handshake error: EOF - Example:
{"creationTimestamp":"2025-04-23T20:50:35Z","name":"insecure-nginx-conf","namespace":"default","resourceVersion":"825013"} - Example:
2025-04-24T21:55:08.535-0500 INFO example-log-entry - Example:
{"level":"info","ts":1745549708.5355184,"msg":"example-log-entry"} - Example:
{"Id":19,"Version":1,"Opcode":13,"RecordId":1493,"LogName":"System","ProcessId":4324,"ThreadId":10456,"MachineName":"windows","TimeCreated":"\/Date(1743448267142)\/"}
Adding custom formats
Custom timestamp formats can be added in one of three ways:
- On the command line with
-xand-t - In configuration under
timestamp_regexes - In the data sources Yaml under an abstract data source using
timestamp
A regular expression and format string are needed to locate the timestamp and parse it.
Important: The timestamp regular expression must produce a single group in the match. A group in regular expressions is a part of the pattern enclosed in parentheses (). It allows you to extract or refer to a specific sub-part of the match. The regular expression you provide must only include one set of parentheses. Multiple groups are not supported.
Example: Adding RFC850 timestamp formats
Suppose we'd like to detect problems in a log file using the RFC850 timestamp format.
Monday, 02-Jan-06 15:04:05 MST some things happened today
Monday, 02-Jan-06 15:04:06 MST then some other things
Monday, 02-Jan-06 15:04:07 MST new things
Monday, 02-Jan-06 15:04:08 MST more new things
Monday, 02-Jan-06 15:04:09 MST more new things
Monday, 02-Jan-06 15:04:10 MST a problem happened right here
If preq cannot detect the timestamp format, it will generate the following error:
$ cat test.log | preq
Error: no timestamp delimiter
To add support for a new timestamp format, such as RFC850, add the following format and regular expression to the configuration.
timestamps:
- format: "Monday, 02-Jan-06 15:04:05 MST"
pattern: |
([A-Za-z]+day,\s+\d{2}-[A-Za-z]{3}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+[A-Z]{3})
Then run preq and note that it no longer produces an error.
$ cat test.log | preq -q
$ echo $?
0
Don't see your timestamp format?
If you don't see your timestamp format, and you'd rather not spend any time creating a new custom format, then just let us know! Ask us in GitHub discussions or ask us in Slack!