Timestamp handling
The timestamp is an integral component of an event that underlies all observability analysis. In most cases, Imply Lumi automatically detects and stores the timestamp from an incoming event. In other cases, you might need to configure a pipeline in Lumi to parse the timestamp from the raw event message.
This topic describes how Lumi assigns timestamps and the time formats Lumi supports.
Timestamp detection
In most cases, Lumi parses the timestamp from the incoming log and stores it as the event timestamp. Lumi automatically detects the timestamp based on the protocol that sends the events or from one of the supported time formats.
Time zone assignment
When Lumi detects a time zone on the event timestamp, it preserves the designated time zone.
For example, 2023-10-26T15:30:00-05:00 denotes the timestamp five hours behind UTC.
When you manually map a timestamp that doesn't designate a time zone, select one of the available time zones, such as America/Los_Angeles.
If you don't specify the time zone, Lumi defaults to UTC.
A Splunk® forwarder can set the time zone even if it's not explicitly provided in the log. For details on how Splunk determines the timestamp and time zone, see Configure timestamp recognition and Specify time zones for timestamps.
When searching events, the time zone of your user account determines the timestamps displayed on events. For more information, see User account time zone.
Multiple time formats
If your incoming events have a mixture of time formats, such as different epoch formats, Lumi can automatically determine the timestamp.
If you're mapping the event timestamp manually, be sure to use the AUTO mode to retain the flexible detection behavior.
Otherwise, if you specify a fixed format, Lumi adheres to only that format for events processed through the pipeline.
Resolve a missing timestamp
When Lumi can't identify a timestamp in an event, consider the following strategies:
- For S2S integrations, configure the timestamp extraction properties on the IAM key.
- Manually assign the timestamp in a pipeline. See the following section on Manual timestamp mapping.
Otherwise, when Lumi can't detect the timestamp, it assigns the time at which it received the event.
Manual timestamp mapping
You can manually set the event timestamp using a timestamp mapper in a pipeline. This takes precedence over any timestamp Lumi previously determined.
To use the timestamp mapper, you need a source attribute that contains the reference timestamp.
The reference timestamp must adhere to a valid time format.
The source attribute can come from metadata sent by your forwarding agent, such as time: 1749599182000, or you can use any processor that creates an output attribute.
Example
Imagine that you have an event with the timestamp buried within the log message. In this example, you're able to determine a regular expression to extract the timestamp component for all your events. You can map the event timestamp using these steps:
- Create a pipeline if you don't already have one. Ensure the pipeline conditions match the events you want to process.
- Add a regex parser, in which the source is the log body and the regex is the pattern that extracts the timestamp. Provide a name for the output attribute, such as
time. Don't use the name of an attribute that already exists. - Add a timestamp mapper and designate the source as the attribute created in the previous step. Select the appropriate time format. If the timestamp doesn't contain a time zone designation, select a time zone.
- Add an attribute remover to remove the temporary attribute extracted by regex.
For a specific example, see the Processors reference.
Time formats
In a timestamp mapper, you can select from one of the following formats:
| Time format | Description | Example |
|---|---|---|
ISO_8601 | ISO 8601 standard | 2025-07-01T02:47:05.000Z |
EPOCH_SECONDS | Number of seconds since epoch time | 1749599182 |
EPOCH_MILLISECONDS | Number of milliseconds since epoch time* | 1749599182000 |
EPOCH_MICROSECONDS | Number of microseconds since epoch time | 1749599182000000 |
EPOCH_NANOSECONDS | Number of nanoseconds since epoch time | 1749599182000000000 |
DATE | HTTP date format | Tue, 15 Nov 1994 08:12:31 GMT |
CLF | Common log format | 10/Oct/2011:13:55:36 -0700 |
AUTO | Automatically detect one of the preceding formats | N/A |
CUSTOM | Custom time pattern using DateTimeFormatter syntax.Note that this syntax differs from strptime format you can use for parsing S2S timestamps. | yyyy-MM-dd HH:mm:ss to represent 2025-08-05 15:45:00 |
*The epoch time represents the Unix epoch: January 1, 1970, at 00:00:00 UTC.
Custom time zone patterns
When you manually map a timestamp using the CUSTOM format, you can specify how the time zone is formatted using one of the following patterns:
| Symbol | Time zone representation | Example pattern | Example timestamp |
|---|---|---|---|
VV | Time zone ID | yyyy-MM-dd'T'HH:mm:ss VV | 2025-10-01T09:55:36 America/New_York |
z | Time zone name | EEE, dd MMM yyyy HH:mm:ss z | Wed, 01 Oct 2025 13:55:36 GMT |
Z | Offset from UTC, +HHMM or -HHMM | dd/MMM/yyyy:HH:mm:ss Z | 01/Oct/2025:22:55:36 +0900 |
X | Offset from UTC, +HH | yyyy-MM-dd'T'HH:mm:ssX | 2025-10-01T14:55:36+01 |
XX | Offset from UTC, +HHMM | yyyy-MM-dd'T'HH:mm:ssXX | 2025-10-01T14:55:36+0100 |
XXX | Offset from UTC, +HH:MM | yyyy-MM-dd'T'HH:mm:ssXXX | 2025-10-01T14:55:36+01:00 |
O | Localized offset from UTC, short form | yyyy-MM-dd'T'HH:mm:ss O | 2025-10-01T14:55:36 GMT+1 |
OOOO | Localized offset from UTC, long form | yyyy-MM-dd'T'HH:mm:ss OOOO | 2025-10-01T14:55:36 GMT+01:00 |
If some of your timestamps don't have a time zone, use square brackets [] to denote optionality. For example, yyyy-MM-dd'T'HH:mm:ss[XX].
JSON file upload
If Lumi doesn't automatically detect the timestamp in a JSON file upload, you can designate the time zone and time format using the same options. Specify the timestamp configuration directly in the file upload UI rather than creating a pipeline.
Note that Lumi automatically detects the timestamps from supported CSV files.
User account time zone
The time zone configured on your account determines the timestamps you view on events. Keep this in mind when performing searches that filter events by a certain time range.
For example, consider an event in UTC time, 2025-07-01T02:47:05.000Z:
- If your account is set to UTC time, you'd view the same date and time on the event,
Jul 01, 02:47:05.000 AM. - If your account time zone is
America/Los_Angelesduring daylight savings time, you'd view the timestamp as seven hours behind UTC, orJun 30, 07:47:05.000 PM.
To change your account time zone, select your account name, click the Timezone drop-down, and select your time zone:
Learn more
For more information, see the following topics:
- Processors for the types of processors available in Lumi.
- File upload reference for more details on file upload.