Is it possible to process a specific date/time format first and if the format doesn't match the regex, default it to another?
Nov 19 21:56:10 myhost1 myapp1 2018-11-19T21:56:10.394Z level=INFO
Nov 19 21:57:20 myhost2 myapp2 [10.110.101.85]: 2018-11-19 21:57:20:322 [INFO ]
Nov 19 21:58:30 myhost3 myapp3 status=failed exit_code=2
My props is set for the TIME_FORMAT of %Y-%m-%dT%H:%M:%S.%3N%Z using a regex TIME_PREFIX for everything before the date/time 2018-11-19T21:59:10.394Z (as in the first event). If the TIME_FORMAT doesn't match or doesn't exist (as in the second and third events), then I'd like to use the first date/time in the beginning of each event (Nov 19 21:57:20). Is this possible? If so, how would this be accomplished?
Hm, this is quite dirty to do. You can keep your TIME_PREFIX and modify your RegEx. Simply add an "or"-condition in your regex. On the left side, match your second timestamp and on the other side of the or-condition, match the first timestamp. This is what I would try. To keep the impact of the possible regex steps low, you can set MAX_TIMESTAMP_LOOKAHEAD to the position where your second (and preferred) timestamp would start. So your regex won't try to match the whole event once before trying to match the second condition in the or.
Is that clear enough or do you need a RegEx example?
If the TIME_FORMAT doesn't match or doesn't exist (as in the second and third events), then I'd like to use the first date/time in the beginning of each event (Nov 19 21:57:20). Is this possible? If so, how would this be accomplished?
i think this will be difficult to do with props.conf,
maybe, you could use a simple props.conf and then using a splunk search query, you can do the if-else assignment.
what is the problem you are trying to solve?
are you looking to capture the milliseconds?