Hi,
The event in my Log always has a prefix yyyy-MM-dd hh:mm:ss,SSS e.g. 2013-07-30 07:12:11,649
To have the event indexed properly, can I use the line below in props.conf
BREAK_ONLY_BEFORE=yyyy-MM-dd hh:mm:ss,SSS
Thanks for the advice!
Nope. You're (kinda) mixing up BREAK_ONLY_BEFORE and TIME_FORMAT.
BREAK_ONLY_BEFORE is a regex field. Use something like:
BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
Nope. You're (kinda) mixing up BREAK_ONLY_BEFORE and TIME_FORMAT.
BREAK_ONLY_BEFORE is a regex field. Use something like:
BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
Thank you for the useful answer.
or
BREAK_ONLY_BEFORE=/d/d/d/d-/d/d-/d/d/ /d/d:/d/d:/d/d