I have the following log structure from which I want to index date time properly.
INFO :20170503:11.21.54.48:XYZWX ABC123:[MESSAGE 123456]
INFO :20170503:11.21.54.54:XYZWX ABC123:[MESSAGE 123456]
INFO :20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]
WARNING:20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]
WARNING:20170503:11.21.54.60:XYZWX ABC123:[MESSAGE 123456]
I tried to add this to my props.conf - but cannot get this done right.
[mysourcetype]
TIME_PREFIX = :
TIME_FORMAT = %y%m%d:%H.%M.%S
I'm not really good at regex , so if you guys are able to help me I will appreciate.
Thanks,
TIME_FORMAT doesn't use regex.
Try TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N
TIME_FORMAT doesn't use regex.
Try TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N
This is how the final solution looks like.
Thanks all for helping me to get it done.
[my_logs]
TIME_PREFIX = ^\w+\s+:
TIME_FORMAT = %Y%m%d:%H.%M.%S.%2N
MAX_TIMESTAMP_LOOKAHEAD = 20
Would suggest adding this as well to your props.conf
TIME_PREFIX = ^\w+\s+\:
this is what i setup on my props.conf on the indexer app
[my_logs]
TIME_PREFIX = ^\w+\s+:
TIME_FORMAT = %y%m%d:%H.%M.%S.%2N
MAX_TIMESTAMP_LOOKAHEAD = 20
still no luck , getting the timestamp data was indexed
YOu need to use the exact string provided by @richgalloway (you're using lower-case y for year, which is used for 2 digit year, your data has 4 digit year so you should be using upper-case Y in TIME_FORMAT.
thanks a lot for that, it was exactly it was missing.
had gone thru that mask many times and missed it.
thanks a lot guys 🙂