OneAgent log data formats

• Latest Dynatrace
• Explanation
• 5-min read
• Updated on Feb 12, 2026

Log Monitoring can read and analyze:

Windows event logs

System, Security, and Application logs are automatically discovered on hosts. Other custom event-log format logs can be added manually on the environment level. The timestamp is sourced from an event's attribute, Event.System.TimeCreated.<xmlattr>.SystemTime.

Plain-text logs

Any plain-text log file is valid as long as it is encoded in UTF-8 or UTF-16. The timestamp is detected automatically when it is present, according to the rules described in Supported timestamp formats (Logs Classic). It is also possible to configure your timestamp. If no timestamp is present, the log format is still valid. In such case, each line that doesn't start with a whitespace is treated as the beginning of a new log record, and is automatically assigned a timestamp that is the time of reading a log record by OneAgent.

Incorrect date formats

Any log entry with an unrecognized timestamp will be adjusted with the current timestamp to allow the log entry to be processed.

Examples of valid log file time formats

The proper timestamp format consists of both date and time. The list below covers possible time formats, which need to be paired with the allowed date formats listed in the next section:

12:23:34.123
12:23:34.123GMT+0100
12:23:34.123 GMT+0100
0:00:00 GMT
0:00:00   GMT+0100
00:00:00
12:13:01+0100
12:13:02.123
12:13:03.123123+0100
12:13:02,123
12:13:03,123123+0100
12:13:04GMT
12:13:05GMT+0100
12:13:06GMT+01
12:13:09+0100
12:13:10+01
12:13:12+0200
12:13:13.123pm
12:13:14.123 AM
12:13:15.123PM+01
12:13:16.123 AM+02
12:13:17CEST
12:13:18 CET
00:13:19

Examples of valid log file timestamps

Below are the date formats that need to be paired with the time formats listed in the previous section:

2018-04-06 09:54:04.839 UTC
2018-04-06 11:01:19,625
2018/04/06 11:06:23 UTC
Apr  6 12:23:52
Apr-6 13:35:57.621

JSON logs

OneAgent version 1.327+ supports logs in JSON format.

Logs can be provided as JSON objects or arrays. Newline characters can be used to create multi-line JSON objects.

Headers and non-JSON prefixes are allowed. These are parsed as plain text.

OneAgent accepts a header at the beginning of the file, which is parsed as plain text.

The following timestamp formats are supported in JSON logs:

ISO 8601 format: %Y-%m-%d %H:%M:%S
RFC 3339 format: %Y-%m-%dT%H:%M:%S
Unix Epoch format, providing the number of seconds or milliseconds that have elapsed since January 1, 1970
RFC 3164 format: %b %t%d %H:%M:%S
W3C (World Wide Web Consortium) format: %Y-%m-%d %H:%M:%S
%d %b %Y %H:%M:%S
%Y %b %d %H:%M:%S
%d/%b/%Y:%H:%M:%S

An example of how these timestamps can appear in log records is given below:

2025-03-04 10:30:00 UTC
2025-03-04T10:30:00Z
1772616602
Apr 6 12:23:52
2025-03-04 10:30:00
17 Apr 2022 11:25:12.345
2022 Apr 17 11:25:12.345
17/Apr/2022:11:25:12.345

JSON log enrichment

OneAgent extracts the timestamp and loglevel attributes from the appropriate fields within the JSON object. This is the same behavior as with the Log ingestion API.

Additionally, it extracts the attributes from a non-JSON prefix, if present. In such a case, the values from the prefix take priority.

If there are multiple timestamp or loglevel fields within a single JSON object, the first key in the predifined order with the value that has the correct data format is used. For the unsupported timestamp format, the current timestamp is used, and the value of the unsupported timestamp format is stored in the unparsed_timestamp attribute. This attribute isn't indexed for Log Monitoring Classic.

See the supported timestamp keys

When fields start with dt. (for example, dt.trace_id or dt.span_id) and appear at the root or first nested level of the JSON object, OneAgent automatically extracts them and adds them as attributes.

To learn more about log levels, go to Automatic log enrichment.

Configuration

Automatic JSON parsing is enabled by default. If OneAgent does not recognize content in JSON format, the log file is treated as plain-text.

You can explicitly disable JSON parsing by creating a timestamp configuration rule where the JSON parsing option is disabled. To learn how to configure a timestamp rule, go to Timestamp/splitting configuration.

To disable JSON parsing for a log file: