When logging to CloudWatch logs in a JSON format what is the name of the timestamp property and what is the expected format?

Question

I'm logging to CloudWatch logs using a logging framework that sends JSON. At the moment every log in CloudWatch is being logged with the same date.

What is the name of the JSON property that CloudWatch Logs looks for to determine the date/time of the logged event and what format does it have to be in to be logged correctly.

Are these details documented by AWS and if so, where? Cause I can't find it within the CloudWatch logs documentation...

Here's my example log at the moment:

{
    "time": "2022-02-16 19:11:29.9734",
    "level": "ERROR",
    "message": "Something went wrong...",
    "callsite": "My.NameSpace.Services.ImageDetector",
    "logger": "My.NameSpace.Services.ImageDetector",
    "url": "https://example.com",
    "action": "CheckImage",
    "ipaddress": "8.8.8.8.8",
    "user": "root"
}

But it's logging with the datetime 2022-02-14T01:12:47.160+00:00 every time.

Or can it only be sent along with the API call and is not pulled out of the log contents itself as I think it is?

Answer 1

It seems that there is a concept of "discovered fields" when posting JSON to CloudWatch. One of these is the log timestamp.

If you post a timestamp field in your JSON payload it will auto detect the timestamp from the value.

This can be confirmed by querying for log entries in CloudWatch insights. The log entry only included a "timestamp" field, but the auto generated @timestamp value is filled:

Please note that the timestamp display in CloudWatch displays the timestamp in your local timezone:

Discovered fields are documented here.