Merge pull request #16955 from bmcfeely/patch-7

fix(logs): Add information about Grok 'datetime' pattern strings
newrelic · May 6, 2024 · 172eed7 · 172eed7
2 parents a887222 + 7bf2ed1
commit 172eed7
Showing 1 changed file with 7 additions and 20 deletions.
diff --git a/src/content/docs/logs/ui-data/parsing.mdx b/src/content/docs/logs/ui-data/parsing.mdx
@@ -119,14 +119,16 @@ Grok is a superset of regular expressions that adds built-in named patterns to b
 Grok patterns have the syntax:
 
   ```
-  %{PATTERN_NAME[:OPTIONAL_EXTRACTED_ATTRIBUTE_NAME[:OPTIONAL_TYPE]]}
+  %{PATTERN_NAME[:OPTIONAL_EXTRACTED_ATTRIBUTE_NAME[:OPTIONAL_TYPE[:OPTIONAL_PARAMETER]]]}
   ```
 
     Where:
 
     * `PATTERN_NAME` is one of the supported Grok patterns. The pattern name is just a user-friendly name representing a regular expression. They are exactly equal to the corresponding regular expression.
     * `OPTIONAL_EXTRACTED_ATTRIBUTE_NAME`, if provided, is the name of the attribute that will be added to your log message with the value matched by the pattern name. It's equivalent to using a named capture group using regular expressions. If this is not provided, then the parsing rule will just match a region of your string, but not extract an attribute with its value.
     * `OPTIONAL_TYPE` specifies the type of attribute value to extract. If omitted, values are extracted as strings. For instance, to extract the value `123` from `"File Size: 123"` as a number into attribute `file_size`, use `value: %{INT:file_size:int}`.
+    * `OPTIONAL_PARAMETER` specifies an optional parameter for certain types. Currently only the `datetime` type takes a parameter, see below for details.
+
 
 You can also use a mix of regular expressions and Grok pattern names in your matching string.
 
@@ -286,29 +288,14 @@ Note that variable names must be explicitly set and be lowercase like `%{URI:uri
         </td>
 
         <td>
-          ISO 8601 time as a `long`
-        </td>
-      </tr>
+          Time as a `long`
 
-      <tr>
-        <td>
-          `string` (default)
-          `text`
-        </td>
 
-        <td>
-          `string`
-        </td>
-      </tr>
+          By default it is interpreted as ISO 8601. If `OPTIONAL_PARAMETER` is present, it specifies
+          the [date and time pattern string](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/text/SimpleDateFormat.html)to use to interpret the `datetime`.
 
-      <tr>
-        <td>
-          `date`
-          `datetime`
-        </td>
 
-        <td>
-          ISO 8601 time as a `long`
+          Note that this is only available during parsing. We have an additional, [separate timestamp interpretation step](/docs/logs/ui-data/timestamp-support) that occurs for all logs later in the ingestion pipeline.
         </td>
       </tr>