You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Syslog format is quite common and all the common linux logs use this format as they are written by syslog (/var/log/auth.log, /var/log/syslog, /var/log/kern.log, etc.)
If we append current year it is parsed correctly, but it is inconvenient and there is a high risk that user will not process Dec->Jan correctly and will get incorrect year.
SELECT parseDateTimeBestEffort(concat(CAST(toYear(today()), 'String'), ' Jan 10 06:07:06'))
┌─parseDateTimeBestEffort(concat(CAST(toYear(today()), 'String'), ' Jan 10 06:07:06'))─┐
│ 2023-01-10 06:07:06 │
└──────────────────────────────────────────────────────────────────────────────────────┘
Additional context
It is important that you may parse December logs in January so we should have some safeguard that year is detected as a year corresponding to month in previous 11 months(or less) and not just current year.
The TIMESTAMP field is the local time and is in the format of "Mmm dd
hh:mm:ss" (without the quote marks) where:
Mmm is the English language abbreviation for the month of the
year with the first character in uppercase and the other two
characters in lowercase. The following are the only acceptable
values:
Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
dd is the day of the month. If the day of the month is less
than 10, then it MUST be represented as a space and then the
number. For example, the 7th day of August would be
represented as "Aug 7", with two spaces between the "g" and
the "7".
hh:mm:ss is the local time. The hour (hh) is represented in a
24-hour format. Valid entries are between 00 and 23,
inclusive. The minute (mm) and second (ss) entries are between
00 and 59 inclusive.
The text was updated successfully, but these errors were encountered:
Use case
Syslog format is quite common and all the common linux logs use this format as they are written by syslog (/var/log/auth.log, /var/log/syslog, /var/log/kern.log, etc.)
Currently we parse it completely wrong
If we append current year it is parsed correctly, but it is inconvenient and there is a high risk that user will not process Dec->Jan correctly and will get incorrect year.
Additional context
It is important that you may parse December logs in January so we should have some safeguard that year is detected as a year corresponding to month in previous 11 months(or less) and not just current year.
Syslog format is
https://www.rfc-editor.org/rfc/rfc3164
https://www.rfc-editor.org/rfc/rfc5424
The text was updated successfully, but these errors were encountered: