Time formats
The timestamp is an integral component of an event that underlies all observability analysis. In most cases, Imply Lumi automatically parses the timestamp from an incoming event and stores its timestamp.
For some data formats, you may need to configure Lumi to identify the timestamp from the raw event message.
If Lumi can't detect the timestamp, it assigns the timestamp for when it received the event.
Lumi stores the timestamp for when it received the event in the observedAt system attribute.
This topic lists the available time formats you can specify in a timestamp processor or during JSON file upload.
Applications
You can specify a custom time format in a timestamp processor and for JSON file upload.
In a pipeline, you can use a timestamp processor to assign the event timestamp. The input value for the processor comes from a source attribute provided as metadata on the raw event or parsed using an upstream regex or grok parser.
When you upload a file with newline-delimited JSON data, you designate the field containing the timestamp and the format of the timestamp. Note that supported CSV files already include timestamps with designated time zones.
The time formats described in this topic don’t apply to the S2S integration, which uses timestamps from the incoming events. For details on how Splunk® determines the timestamp and time zone, see Configure timestamp recognition and Specify time zones for timestamps.
Time formats
You can select from one of the following time formats:
| Time format | Description | Example |
|---|---|---|
ISO_8601 | ISO 8601 standard | 2025-07-01T02:47:05.000Z |
EPOCH_SECONDS | Number of seconds since epoch time | 1749599182 |
EPOCH_MILLISECONDS | Number of milliseconds since epoch time | 1749599182000 |
EPOCH_MICROSECONDS | Number of microseconds since epoch time | 1749599182000000 |
EPOCH_NANOSECONDS | Number of nanoseconds since epoch time | 1749599182000000000 |
DATE | HTTP date format | Tue, 15 Nov 1994 08:12:31 GMT |
CLF | Common log format | 10/Oct/2011:13:55:36 -0700 |
CUSTOM | Custom time pattern using DateTimeFormatter syntax | yyyy-MM-dd HH:mm:ss to represent 2025-08-05 15:45:00 |
The epoch time represents the Unix epoch: January 1, 1970, at 00:00:00 Coordinated Universal Time (UTC).
Time zone
When Lumi detects a time zone on the event timestamp, it preserves the designated time zone.
For example, 2023-10-26T15:30:00-05:00 denotes the timestamp five hours behind UTC.
The preceding examples for ISO 8601, HTTP date, and common log format all include the time zone.
For timestamps that don't include time zone information, you can select a default time zone to use. When a timestamp doesn't contain the time zone and no default time zone has been selected, Lumi defaults to UTC.
User account
The time zone configured on your account determines the timestamps you view on events. Set your time zone in your profile settings:
For example, consider an event in UTC time, 2025-07-01T02:47:05.000Z.
If your account is set to UTC time, you'd view the same date and time on the event, Jul 01, 02:47:05.000 AM.
If you account time zone is America/Los_Angeles during daylight savings time, you'd view the timestamp as seven hours behind UTC, or Jun 30, 07:47:05.000 PM.
Custom format
The CUSTOM time format supports specifying the time zones in multiple ways,
shown in the following table:
| Symbol | Description | Timestamp example | Associated pattern |
|---|---|---|---|
VV | Time zone ID | 2025-10-01T09:55:36 America/New_York | yyyy-MM-dd'T'HH:mm:ss VV |
z | Time zone name | Wed, 01 Oct 2025 13:55:36 GMT | EEE, dd MMM yyyy HH:mm:ss z |
Z | Offset from UTC, +HHMM or -HHMM | 01/Oct/2025:22:55:36 +0900 | dd/MMM/yyyy:HH:mm:ss Z |
X | Offset from UTC, +HH | 2025-10-01T14:55:36+01 | yyyy-MM-dd'T'HH:mm:ssX |
XX | Offset from UTC, +HHMM | 2025-10-01T14:55:36+0100 | yyyy-MM-dd'T'HH:mm:ssXX |
XXX | Offset from UTC, +HH:MM | 2025-10-01T14:55:36+01:00 | yyyy-MM-dd'T'HH:mm:ssXXX |
O | Localized offset from UTC, short form | 2025-10-01T14:55:36 GMT+1 | yyyy-MM-dd'T'HH:mm:ss O |
OOOO | Localized offset from UTC, long form | 2025-10-01T14:55:36 GMT+01:00 | yyyy-MM-dd'T'HH:mm:ss OOOO |
If only some timestamps have the time zone, use square brackets [] to denote optionality. For example, yyyy-MM-dd'T'HH:mm:ss[XX].
See Time format for more information on this format.
Learn more
For more information, see the following topics:
- Processors for the types of processors available in Lumi.
- File upload reference for more details on file upload.