OneAgent log data formats

• Latest Dynatrace
• Explanation
• 5-min read
• Updated on Oct 27, 2025

Log Monitoring can read and analyze:

Windows event logs

System, Security, and Application logs are automatically discovered on hosts. Other custom event-log format logs can be added manually on the environment level. The timestamp is sourced from an event's attribute, Event.System.TimeCreated.<xmlattr>.SystemTime.

Plain-text logs

Any plain-text log file is valid as long as it is encoded in UTF-8 or UTF-16. The timestamp is detected automatically when it is present, according to the rules described in Supported timestamp formats (Logs Classic). It is also possible to configure your timestamp. If no timestamp is present, the log format is still valid. In such case, each line that doesn't start with a whitespace is treated as the beginning of a new log record, and is automatically assigned a timestamp that is the time of reading a log record by OneAgent.

Incorrect date formats

Any log entry with an unrecognized timestamp will be adjusted with the current timestamp to allow the log entry to be processed.

Examples of valid log file time formats

The proper timestamp format consists of both date and time. The list below covers possible time formats, which need to be paired with the allowed date formats listed in the next section:

12:23:34.123
12:23:34.123GMT+0100
12:23:34.123 GMT+0100
0:00:00 GMT
0:00:00   GMT+0100
00:00:00
12:13:01+0100
12:13:02.123
12:13:03.123123+0100
12:13:02,123
12:13:03,123123+0100
12:13:04GMT
12:13:05GMT+0100
12:13:06GMT+01
12:13:09+0100
12:13:10+01
12:13:12+0200
12:13:13.123pm
12:13:14.123 AM
12:13:15.123PM+01
12:13:16.123 AM+02
12:13:17CEST
12:13:18 CET
00:13:19

Examples of valid log file timestamps

Below are the date formats that need to be paired with the time formats listed in the previous section:

2018-04-06 09:54:04.839 UTC
2018-04-06 11:01:19,625
2018/04/06 11:06:23 UTC
Apr  6 12:23:52
Apr-6 13:35:57.621

JSON logs

OneAgent version 1.327+ supports logs in JSON format.

Logs can be provided as JSON objects or arrays. Newline characters can be used to create multi-line JSON objects.

Headers and non-JSON prefixes are allowed. These are parsed as plain text.

OneAgent accepts a header at the beginning of the file, which is parsed as plain text..

JSON log enrichment

OneAgent extracts the timestamp and loglevel attributes from the appropriate fields within the JSON object. This is the same behavior as with the Log ingestion API. Go to Log Monitoring API - POST ingest logs to see the list of supported keys.

Additionally, it extracts the attributes from a non-JSON prefix, if present. In such a case, the values from the prefix take priority.

If there are multiple timestamp or loglevel fields within a single JSON object, only the first key is used, in alphabetical order.

OneAgent automatically extracts any string fields whose names start with dt. (for example, dt.trace_id or dt.span_id), if they are located at the root or first inner level of the JSON object, and adds them as attributes.

The supported timestamp patterns for JSON logs, from fields or prefixes, are the same as for plain-text logs.

To learn more about log levels, go to Automatic log enrichment.

Configuration

Automatic JSON parsing is enabled by default. If OneAgent does not recognize content in JSON format, the log file is treated as plain-text.

You can explicitly disable JSON parsing by creating a timestamp configuration rule where the JSON parsing option is disabled. To learn how to configure a timestamp rule, go to Timestamp/splitting configuration.

To disable JSON parsing for a log file: