Time Prefix Question

edwardrose — Wed, 20 May 2020 18:47:14 GMT

Hello All

I have a time prefix question

Here is my timestamp

May 20 10:59:30 svr-orw-nac-01 2020-05-20 17:59:30,646
May 20 11:01:01 svr-ies-nac-02 2020-05-20 18:01:01,389

I am setting props.conf to be the following:

[source::/var/log2/gns/nac/log_*]
MAX_TIMESTAMP_LOOKAHEAD = 31
TIME_PREFIX = ^\w+\s\d+\s\d+:\d+:\d+\ssvr-.*-nac-\d[01|02]\s
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N

Does this look right?

Thanks
ed

Re: Time Prefix Question

PavelP — Wed, 20 May 2020 21:56:30 GMT

Hello @edwardrose,

small corrections:

TIME_PREFIX = ^\w+\s\d+\s\d+:\d+:\d+\ssvr\-\w+\-nac-(01|02)\s

it is better to use \w+ instead of .* - the first requires 58 steps instead of 126 steps, compare:

https://regex101.com/r/cOQ2a2/1 - 126 steps

https://regex101.com/r/cOQ2a2/2 - 58 steps

topic Time Prefix Question in Getting Data In

Time Prefix Question

Re: Time Prefix Question