Make parse_log timestamp format explicit

adamwasila · Feb 4, 2020 · 816b0f3 · 816b0f3
1 parent f9e6cb1
commit 816b0f3
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 7 deletions.
diff --git a/lib/processor/parse_log.go b/lib/processor/parse_log.go
@@ -16,17 +16,38 @@ func init() {
 	Constructors[TypeParseLog] = TypeSpec{
 		constructor: NewParseLog,
 		Summary: `
-Parses common log [formats](#format) into structured data (JSON). This is easier
-and often much faster than ` + "[`grok`](/docs/components/processors/grok)" + `.`,
+Parses common log [formats](#formats) into [structured data](#codecs). This is
+easier and often much faster than ` + "[`grok`](/docs/components/processors/grok)" + `.`,
 		FieldSpecs: docs.FieldSpecs{
-			docs.FieldCommon("format", "A common log format to parse.").HasOptions(
+			docs.FieldCommon("format", "A common log [format](#formats) to parse.").HasOptions(
 				"syslog_rfc5424",
 			),
 			docs.FieldCommon("codec", "Specifies the structured format to parse a log into.").HasOptions(
 				"json",
 			),
 			partsFieldSpec,
 		},
+		Footnotes: `
+## Codecs
+
+Currently the only supported structured data codec is ` + "`json`" + `.
+
+## Formats
+
+### ` + "`syslog_rfc5424`" + `
+
+Makes a best effort to parses a log following the
+[Syslog rfc5424](https://tools.ietf.org/html/rfc5424) spec. The resulting
+structured document may contain any of the following fields:
+
+- ` + "`message`" + ` (string)
+- ` + "`timestamp`" + ` (string, RFC3339)
+- ` + "`hostname`" + ` (string)
+- ` + "`procid`" + ` (string)
+- ` + "`appname`" + ` (string)
+- ` + "`msgid`" + ` (string)
+- ` + "`structureddata`" + ` (object)
+`,
 	}
 }
 
@@ -66,7 +87,8 @@ func parserRFC5424() parserFormat {
 			resMap["message"] = *res.Message()
 		}
 		if res.Timestamp() != nil {
-			resMap["timestamp"] = *res.Timestamp()
+			resMap["timestamp"] = res.Timestamp().Format(time.RFC3339Nano)
+			// resMap["timestamp_unix"] = res.Timestamp().Unix()
 		}
 		if res.Hostname() != nil {
 			resMap["hostname"] = *res.Hostname()

diff --git a/website/docs/components/processors/parse_log.md b/website/docs/components/processors/parse_log.md
@@ -11,8 +11,8 @@ type: processor
 -->
 
 
-Parses common log [formats](#format) into structured data (JSON). This is easier
-and often much faster than [`grok`](/docs/components/processors/grok).
+Parses common log [formats](#formats) into [structured data](#codecs). This is
+easier and often much faster than [`grok`](/docs/components/processors/grok).
 
 
 import Tabs from '@theme/Tabs';
@@ -49,7 +49,7 @@ parse_log:
 
 ### `format`
 
-`string` A common log format to parse.
+`string` A common log [format](#formats) to parse.
 
 Options are: `syslog_rfc5424`.
 
@@ -68,4 +68,24 @@ batching messages [at the input level](/docs/configuration/batching).
 Indexes can be negative, and if so the part will be selected from the end
 counting backwards starting from -1.
 
+## Codecs
+
+Currently the only supported structured data codec is `json`.
+
+## Formats
+
+### `syslog_rfc5424`
+
+Makes a best effort to parses a log following the
+[Syslog rfc5424](https://tools.ietf.org/html/rfc5424) spec. The resulting
+structured document may contain any of the following fields:
+
+- `message` (string)
+- `timestamp` (string, RFC3339)
+- `hostname` (string)
+- `procid` (string)
+- `appname` (string)
+- `msgid` (string)
+- `structureddata` (object)
+