Logformat difference between %t and %trl

Hello,

we are encountering some sorting issue with our haproxy logs.

Actually we are using this logformat line :
log-format %ci:%cp\ [%trl]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

The logs are then shiped with filebeat to our ELK using %trl field to sort it.

Under high flow we can get a lots of request / sec and logs arrive to elastic in mis-ordered.

After a quick look in doc i see :

| | %t | date_time (with millisecond resolution) | date |

And

| H | %trl | local_date_time of start of HTTP request | date |

Can someone explain the difference between this 2 params ? as what we need is the date the request start.

Thank you for your help :slight_smile:

Hi,

Is anybody able to tell me when the log is written with %t vs %trl ?

%t is the time the TCP connection was accepted, in the default format. Same thing is available in GMT (%T) and local time (%Tl).

Quoting from MEDIUM: log: Decompose %Tq in %Th %Ti %TR:

In addition to this, we have new timestamps %tr, %trg and %trl, which
log the date of start of receipt of the request, respectively in the
default format, in GMT time and in local time (by analogy with %t, %T
and %Tl). All of them are obviously only available for HTTP. These values
are more relevant as they more accurately represent the request date
without being skewed by a browser’s preconnect nor a keep-alive idle
time.

Then what you need is %tr, %trg or %trl, depending on your format preference.

1 Like

Once again, a nice and clear response !

I was unable to find this by myself.

Thank you !