Timestamp Extract

The Timestamp Extract rule replaces the log's ingestion timestamp with a timestamp parsed from a field within the log itself. This ensures that time-based searches and visualizations reflect when the event actually occurred, not when it was received.

When to Use

• There is a delay between when your application generates a log and when it is ingested by KubeSense.
• Your logs contain an application-generated timestamp that is more accurate than the ingestion time.
• You need precise event ordering for debugging distributed systems.

Fields

How It Works

The rule reads the value from the source field, parses it using the specified time format, and overwrites the log's timestamp with the parsed value. If parsing fails, the original ingestion timestamp is preserved.

Time Format Reference

The time format uses Go-style reference time layout. Here are common formats:

The reference time in Go format is always: Mon Jan 2 15:04:05 MST 2006 (which is 01/02 03:04:05 PM '06 -0700). Replace each component with the corresponding part of your timestamp format.

Examples

ISO 8601 Timestamp

• Source Field: event_time
• Time Format: 2006-01-02T15:04:05Z07:00

Parses values like 2026-03-10T13:55:36Z or 2026-03-10T13:55:36+05:30.

Custom Application Timestamp

• Source Field: app_timestamp
• Time Format: 2006-01-02 15:04:05.000

Parses values like 2026-03-10 13:55:36.789.

Apache Log Timestamp

• Source Field: timestamp
• Time Format: 02/Jan/2006:15:04:05 -0700

Parses values like 10/Mar/2026:13:55:36 +0000.

Tips

• If your logs are unstructured text, use a Parse rule first to extract the timestamp into a named field, then apply Timestamp Extract on that field.
• The time format must match the timestamp value exactly — including separators, timezone format, and decimal precision.
• When in doubt, test with a few sample log entries before saving.