# Modifying log body timestamps

To update the timestamp in the log body, four processors are required.

{% content-ref url="broken-reference" %}
[Broken link](https://docs.bindplane.com/how-to-guides/broken-reference)
{% endcontent-ref %}

{% content-ref url="broken-reference" %}
[Broken link](https://docs.bindplane.com/how-to-guides/broken-reference)
{% endcontent-ref %}

{% content-ref url="broken-reference" %}
[Broken link](https://docs.bindplane.com/how-to-guides/broken-reference)
{% endcontent-ref %}

{% content-ref url="broken-reference" %}
[Broken link](https://docs.bindplane.com/how-to-guides/broken-reference)
{% endcontent-ref %}

The four processors each manage a step in the overall process:

1. **Extract** the timestamp text and surrounding components from the log body.
2. **Parse** the extracted timestamp text into a timestamp object using strptime and provide a timezone.
3. **Convert** the timestamp object back into the log's original timestamp text format using ctime.
4. **Combine** the updated timestamp text with the original log components.

It can be helpful to think of the specific fields involved in each step:

1. `body` → `attribute.pre_ts`, `attribute.ts`, `attribute.post_ts`
2. `attribute.ts` → `log.time`
3. `log.time` → `attribute.new_ts`
4. `attribute.pre_ts` + `attribute.new_ts` + `attribute.post_ts` → `body`

<div align="right"><figure><img src="https://content.gitbook.com/content/A6BP9V0wfJj4LZdQH6OJ/blobs/spbaz058gE8RPVtoB1AY/Screenshot%202025-09-08%20at%203.19.58%E2%80%AFPM.png" alt=""><figcaption><p>Final result of updating the Body's timestamp</p></figcaption></figure></div>

### Extract timestamp from body

The first processor needed is [Broken link](https://docs.bindplane.com/how-to-guides/broken-reference "mention"). Select `Body` for the `Source Field Type` . Then select `Attribute` for the `Target Field Type`. Create a regex pattern to extract the timestamp and surrounding elements from the body using [named capture groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group).

```
Sep   8 14:57:32 asdfasdfasdf syslog message
```

```regex
(?P<pre_ts>^.*)(?P<ts>(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{2}:\d{2}:\d{2})(?P<post_ts>.*$)
```

This regex separates the body into three attribute fields `pre_ts` (anything before the timestamp), `ts` (the timestamp), and `post_ts` (anything after the timestamp). The `pre_ts` and `post_ts` attributes are needed to reconstruct the body with a modified timestamp based on `ts` in the final processor described later.

{% hint style="info" %}
The log body in our example starts with the timestamp, therefore `pre_ts` is blank.
{% endhint %}

<figure><img src="https://content.gitbook.com/content/A6BP9V0wfJj4LZdQH6OJ/blobs/DUFf19mi8mvoM3utOzAh/Screenshot%202025-09-08%20at%203.18.35%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

### Parse timestamp text into timestamp object

For the second processor we will add [Broken link](https://docs.bindplane.com/how-to-guides/broken-reference "mention"). Which parses `attribute.ts` and updates `log.time`.

Set the extracted timestamp from the last step as the `Source Field`. Select `Attribute` for the `Log Field Type`. Then type `ts` for the `Source Field`.

Choose `Manual` for the `Log Time Format`. The value of `Timestamp Layout` will depend on the logs being collected. You can often ask AI to produce the strptime layout based on an example.

```
Sep   8 14:57:32
```

```
%b  %e %H:%M:%S
```

{% hint style="info" %}
`ctime` and `strptime` are often used interchangeably. `ctime` converts a Time object to a string, while `strptime` converts a string to a Time object.
{% endhint %}

We can now account for the missing timezone context. In this example, the log's timestamp is UTC-03:00, corresponding to the TZ Identifier `America/Argentina/Buenos_Aires`. We will assign this as the value of `Location`.

{% hint style="warning" %}
You can specify a timezone for `Location` using a TZ Identifier only if `Log Time Format` is set to `Manual`
{% endhint %}

{% hint style="success" %}
`log.time` now accurately reflects the original log's timestamp as UTC, displaying the expected 3-hour difference.
{% endhint %}

<figure><img src="https://content.gitbook.com/content/A6BP9V0wfJj4LZdQH6OJ/blobs/v5uddGDLBxxHES2UiiyK/Screenshot%202025-09-08%20at%203.19.00%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

### Make the modified timestamp text

We will now utilize the [Broken link](https://docs.bindplane.com/how-to-guides/broken-reference "mention") processor to generate a field `attribute.new_ts`. This field's value will convert `log.time` into a UTC timestamp while maintaining the original log's format.

Select `Attributes` for the `Target Field Type`. Then type `new_ts` for the `Target Field`. The `Timestamp Format` will match the strptime layout used in the last step, unless there is a specific need to modify the timestamp format.

{% hint style="success" %}
At this stage `new_ts` will match the original format but account for the timezone
{% endhint %}

<figure><img src="https://content.gitbook.com/content/A6BP9V0wfJj4LZdQH6OJ/blobs/Cg736Tg3VmpXw4qWzqsx/Screenshot%202025-09-08%20at%203.19.22%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

### Overwrite the body with the modified timestamp

Finally we need to rebuild log body with the modified timestamp by using [Broken link](https://docs.bindplane.com/how-to-guides/broken-reference "mention").

Choose `Attributes` under `Source Field Type`. Then enter each of the following for `Source Fields`: `pre_ts`, `new_ts`, and `post_ts`. Finally Select `Body` for `Target Field Type`.

{% hint style="success" %}
Body should match the original but with your corrected timestamp
{% endhint %}

<figure><img src="https://content.gitbook.com/content/A6BP9V0wfJj4LZdQH6OJ/blobs/b80tF46wjrMBoD3cB8g9/Screenshot%202025-09-08%20at%203.19.38%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>