topic Re: Timestamp and line not properly break in Getting Data In

Timestamp and line not properly break

antonyhan — Fri, 15 Jul 2016 13:53:38 GMT

I have this inputs.conf

[ServerLogs]
SHOULD_LINEMERGE = true
TRUNCATE = 0
BREAK_ONLY_BEFORE = ^\d{6}\s+\d{2}\:\d{2}\:\d{2}\:\d{3}\s+
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT =%m%d%y %H:%M:%S:%3N
BREAK_ONLY_BEFORE_DATE = true

and piece of my log looks like:

        <imagePath>C:\Fiserv\TCAP\bin\..\data\images\20160714222778400413_20160714141254232.img</imagePath>
      </imageObject>
      <itemUserFields />
      <cpcsData />


071216 09:36:03:364 4524/6.4.2.10/2 INFO  CCaptureApiServerApp::InitInstance(): before requestProcessor.DoModal()

Second piece of log was recognized correctly with property time format. however for the first piece, the line was also broken before, and a time was recognized from "20160714141254232", which I am confused that that's not the time format I defined.

Anyone can shed some light here?

Re: Timestamp and line not properly break

twinspop — Tue, 29 Sep 2020 10:14:40 GMT

You've got 2 break definitions. Which is odd. Also, I've had much better luck using LINE_BREAKER vs BREAK_ONLY_BEFORE for some reason.

[ServerLogs]
LINE_BREAKER = ([\r\n]+)\d{6}\s+\d{2}\:\d{2}\:\d{2}\:\d{3}\s+
SHOULD_LINEMERGE = false
TRUNCATE = 0
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT =%m%d%y %H:%M:%S:%3N
TIME_PREFIX = ^

Re: Timestamp and line not properly break

antonyhan — Fri, 15 Jul 2016 14:45:43 GMT

Tried and didn't work.
So weird....

Re: Timestamp and line not properly break

antonyhan — Fri, 15 Jul 2016 15:07:28 GMT

Thanks twinspop. it turns out a file permission problem on the servers and your setting works.