Add support for usec precision when parsing time

[smortex]

Python added a %f field ("Microsecond as a decimal number") in it's strptime() implementation to parse times with subsecond precision.

Borrow this idea and implement it in syslog-ng using the same field descriptor.

TODO:

• Add support for %f field to parse microseconds;
• Eat extra digits (i.e. nanosecond precision timestamp, while we only handle microseconds) see request;
• Move the time parsing code to wall_clock_time_strptime() see comment

[kira-syslogng]

This user does not have permission to start the build. Can one of the admins verify this patch and start the build?
(admin: you have the next options (make sure you checked the code):
"ok to test" to accept this pull request (and further changes) for testing
"test this please" for a one time test run
"add to whitelist" add author of a Pull Request to whitelist (globally, be careful, it means this user can trigger kira for any PR)
do nothing -> CI won't start)

[kira-syslogng]

This user does not have permission to start the build. Can one of the admins verify this patch and start the build?
(admin: you have the next options (make sure you checked the code):
"ok to test" to accept this pull request (and further changes) for testing
"test this please" for a one time test run
"add to whitelist" add author of a Pull Request to whitelist (globally, be careful, it means this user can trigger kira for any PR)
do nothing -> CI won't start)

[Kokan]

@kira-syslogng ok to test

[kira-syslogng]

Build SUCCESS

[bazsi]

This is actually something I had on my shortlist to implement, and in exactly the same manner (using %f to follow Python's lead here). Thank you.

There's one more problem I originally wanted to solve: since the microseconds part is optional, the dot should be parsed as the part of that piece, and I know %f does not consume the dot, but maybe we should implement a %F which does.

An example:

timestamp: Apr 29 13:58:40.411
date-parser(format("%b %d %H:%M:%S%F"));

Hmm I just noticed that %F is already taken, maybe we could use a multi-letter variant, like "%.f"

what do you think?

[bazsi]

Nicely done! Appreciate the testcases as well. I had some nitpicks as comments, but those are all optional.

[kira-syslogng]

Build SUCCESS

[smortex]

I amended my commit with style fixes, and added a new one to eat extra digit in the usec field as suggested.

---

Regarding consuming the dot ., I happen to be working on this PR after PuppetDB has changed the way it logs timestamps:

• 2017-02-02 00:29:16,706 (old, 5.x I guess)
• 2019-05-04T21:55:46.989+02:00 (new 6.x)

As you can see, the old format seems to use a coma , for separating seconds and millisecond ; while the new format use a dot .. So, as far as I am concerned, leaving responsibility of matching the right symbol outside the field seems more appropriate to me, and the complexity of a modifier does not worth it. It also match what Python does with the %f field.

Maybe we can keep it that way for now, and rely on users feedback to determine if it should be extended it in the future?

[bazsi]

I think it makes sense, and there's one more place this could be addressed: introduce support for multiple format() arguments to date-parser, trying them in order and accepting the timestamp at first success.

For example:

date-parser(format(
     "%b %d %H:%M:%S.%f",
     "%b %d %H:%M:%S,%f"
     "%b %d %H:%M:%S",
    ));

This would handle either ',' or '.' and even with the fractions omitted. I have a relevant use-case in the cisco-parser:

        if {
            # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC"
            # NOTE: drops msecs and timezone
            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); };
        } elif {
            # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411"
            # NOTE: drops msecs and timezone

            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %H:%M:%S') template("$1")); };
        } else {
            # timestamp with year information, example: "Apr 29 2017 13:58:40.411"
            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); };
        };

Would you give this a go, even in a separate PR? That would be awesome.

[smortex]

@bazsi I added a few commits to move the code around. Is it what you expected?

Regarding adding support for multiple formats to date-parser(), it seems a good idea, but I will not be able to work on this topic right now, so I would recommend splitting this into a separate issue / PR.

[kira-syslogng]

Build SUCCESS

[bazsi]

I have some minor requests in comments, but the code looks good. If you guys these I can approve this.

[kira-syslogng]

Build SUCCESS

[bazsi]

This looks good. Maybe you could squash your commits so that other reviewers will have an easier time reviewing the changes. Thanks. But if you do that, please make sure that non-functional changes (e.g. moving of the code) remain separated from functional changes.

[smortex]

@bazsi, I am back from holidays 🌴

I squashed the related commits as requested and rebased my work on top of the master branch.

[kira-syslogng]

Build SUCCESS

[furiel]

Looks good to me. Thank you for your contribution!

[kira-syslogng]

Build SUCCESS

[bazsi]

Good job! Approved on my part too.