Skip to main content
Panther Knowledge Base

Can I use multiple timestamp formats in one schema in Panther?

  1. Last updated
  2. Save as PDF

QUESTION

My custom log schema uses a timestamp format of %Y-%m-%d %H:%M:%S.%f %z. Some log entries come in without the microsecond part (.%f). Is there a way to handle both timestamp formats (one with the .%f and one without) in the same schema file without having to treat it as simple string?

ANSWER

Panther version 1.46 introduced the support of multiple timestamp formats in a single schema. Timestamps are defined by setting the type field to timestamp and specifying the timestamp format using the timeFormats field. 

You can find more information on how to use multiple timestamps formats in a singe schema by following our documentation page on Panther's Timestamps.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.