# Modifying log body timestamps

To update the timestamp in the log body, four processors are required.

* [Parse with Regex](/integrations/processors/parse-with-regex.md)
* [Parse Timestamp](/integrations/processors/parse-timestamp.md)
* [Rewrite Timestamp](/integrations/processors/rewrite-timestamp.md)
* [Concat](/integrations/processors/concat.md)

The four processors each manage a step in the overall process:

1. **Extract** the timestamp text and surrounding components from the log body.
2. **Parse** the extracted timestamp text into a timestamp object using strptime and provide a timezone.
3. **Convert** the timestamp object back into the log's original timestamp text format using ctime.
4. **Combine** the updated timestamp text with the original log components.

It can be helpful to think of the specific fields involved in each step:

1. `body` → `attribute.pre_ts`, `attribute.ts`, `attribute.post_ts`
2. `attribute.ts` → `log.time`
3. `log.time` → `attribute.new_ts`
4. `attribute.pre_ts` + `attribute.new_ts` + `attribute.post_ts` → `body`

<div align="right"><figure><img src="/files/7MiJmretIK6TrjqizkcU" alt=""><figcaption><p>Final result of updating the Body's timestamp</p></figcaption></figure></div>

### Extract timestamp from body

The first processor needed is [Parse with Regex](/integrations/processors/parse-with-regex.md). Select `Body` for the `Source Field Type` . Then select `Attribute` for the `Target Field Type`. Create a regex pattern to extract the timestamp and surrounding elements from the body using [named capture groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group).

```
Sep   8 14:57:32 asdfasdfasdf syslog message
```

```regex
(?P<pre_ts>^.*)(?P<ts>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{2}:\d{2}:\d{2})(?P<post_ts>.*$)
```

This regex separates the body into three attribute fields `pre_ts` (anything before the timestamp), `ts` (the timestamp), and `post_ts` (anything after the timestamp). The `pre_ts` and `post_ts` attributes are needed to reconstruct the body with a modified timestamp based on `ts` in the final processor described later.

{% hint style="info" %}
The log body in our example starts with the timestamp, therefore `pre_ts` is blank.
{% endhint %}

<figure><img src="/files/DTarKMBLNx13K2zINhX7" alt=""><figcaption></figcaption></figure>

### Parse timestamp text into timestamp object

For the second processor we will add [Parse Timestamp](/integrations/processors/parse-timestamp.md). Which parses `attribute.ts` and updates `log.time`.

Set the extracted timestamp from the last step as the `Source Field`. Select `Attribute` for the `Log Field Type`. Then type `ts` for the `Source Field`.

Choose `Manual` for the `Log Time Format`. The value of `Timestamp Layout` will depend on the logs being collected. You can often ask AI to produce the strptime layout based on an example.

```
Sep   8 14:57:32
```

```
%b  %e %H:%M:%S
```

{% hint style="info" %}
`ctime` and `strptime` are often used interchangeably. `ctime` converts a Time object to a string, while `strptime` converts a string to a Time object.
{% endhint %}

We can now account for the missing timezone context. In this example, the log's timestamp is UTC-03:00, corresponding to the TZ Identifier `America/Argentina/Buenos_Aires`. We will assign this as the value of `Location`.

{% hint style="warning" %}
You can specify a timezone for `Location` using a TZ Identifier only if `Log Time Format` is set to `Manual`
{% endhint %}

{% hint style="success" %}
`log.time` now accurately reflects the original log's timestamp as UTC, displaying the expected 3-hour difference.
{% endhint %}

<figure><img src="/files/MSdBkT6EJpWu7xYcaMeM" alt=""><figcaption></figcaption></figure>

### Make the modified timestamp text

We will now utilize the [Rewrite Timestamp](/integrations/processors/rewrite-timestamp.md) processor to generate a field `attribute.new_ts`. This field's value will convert `log.time` into a UTC timestamp while maintaining the original log's format.

Select `Attributes` for the `Target Field Type`. Then type `new_ts` for the `Target Field`. The `Timestamp Format` will match the strptime layout used in the last step, unless there is a specific need to modify the timestamp format.

{% hint style="success" %}
At this stage `new_ts` will match the original format but account for the timezone
{% endhint %}

<figure><img src="/files/DaYyvIAGHkgMjR8HNSkF" alt=""><figcaption></figcaption></figure>

### Overwrite the body with the modified timestamp

Finally we need to rebuild log body with the modified timestamp by using [Concat](/integrations/processors/concat.md).

Choose `Attributes` under `Source Field Type`. Then enter each of the following for `Source Fields`: `pre_ts`, `new_ts`, and `post_ts`. Finally Select `Body` for `Target Field Type`.

{% hint style="success" %}
Body should match the original but with your corrected timestamp
{% endhint %}

<figure><img src="/files/Lzb4JhWfTXeL6Ieie5To" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/how-to-guides/data-collection-and-processing/modifying-log-body-timestamps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.