Skip to main content

Timestamps

preq automatically detects the following timestamp formats:

  • Container Runtime Interface (CRI) 2016-10-06T00:17:09.669794202Z stdout P log
  • RFC3339 2006-01-02T15:04:05Z07:00
  • RFC3339Nano 2006-01-02T15:04:05.999999999Z07:00
  • ISO 8601 2006-01-02 15:04:05.000
  • RFC 3164 Jan 2 15:04:05
  • W3C 2006-01-02 15:04:05
  • Go/Klog I0102 15:04:05.000000
  • macOS log stream 2006-01-02 15:04:05.000000-0700
  • 2006/01/02 03:04:05
  • IIS 01/02/2006, 15:04:05
  • 02 Jan 2006 15:04:05.000
  • 2006 Jan 02 15:04:05.000
  • 02/Jan/2006:15:04:05.000
  • 01/02/2006 03:04:05 PM
  • 2006 Jan 02 15:04:05
  • "time":1744173105369186 in JSON data
  • Windows PowerShell Get-Events {"Value":"\/Date(1743277369500)\/"}

Adding custom formats

Custom timestamp formats can be added in one of three ways:

  • On the command line with -x and -t
  • In configuration under timestamp_regexes
  • In the data sources Yaml under an abstract data source using timestamp

A regular expression and format string are needed to locate the timestamp and parse it.

Important: The timestamp regular expression must produce a single group in the match. A group in regular expressions is a part of the pattern enclosed in parentheses (). It allows you to extract or refer to a specific sub-part of the match. The regular expression you provide must only include one set of parentheses. Multiple groups are not supported.

Example: Adding RFC850 timestamp formats

Suppose we'd like to detect problems in a log file using the RFC850 timestamp format.

test.log
Monday, 02-Jan-06 15:04:05 MST some things happened today
Monday, 02-Jan-06 15:04:06 MST then some other things
Monday, 02-Jan-06 15:04:07 MST new things
Monday, 02-Jan-06 15:04:08 MST more new things
Monday, 02-Jan-06 15:04:09 MST more new things
Monday, 02-Jan-06 15:04:10 MST a problem happened right here

If preq cannot detect the timestamp format, it will generate the following error:

bash
$ cat test.log | preq
Error: no timestamp delimiter

To add support for a new timestamp format, such as RFC850, add the following format and regular expression to the configuration.

~/.preq/config.yaml
timestamps:
  - format: "Monday, 02-Jan-06 15:04:05 MST"
    pattern: |
      ([A-Za-z]+day,\s+\d{2}-[A-Za-z]{3}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+[A-Z]{3})

Then run preq and note that it no longer produces an error.

bash
$ cat test.log | preq -q
$ echo $?
0

You can also provide the format string and regular expression on the command line.

bash
$ cat test.log | preq -q -t "Monday, 02-Jan-06 15:04:05 MST" -x '([A-Za-z]+day,\s+\d{2}-[A-Za-z]{3}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+[A-Z]{3})'
$ echo $?
0

Don't see your timestamp format?

If you don't see your timestamp format, and you'd rather not spend any time creating a new custom format, then just let us know! Ask us in GitHub discussions or ask us in Slack!