This is probably a simple answer, but I'm struggling to get it right 😞
I have events of fixed length - each event is 775 chars long. Fine. Each event is on a new line also.
The timestamp in the event is in %Y%m format. This timestamp always starts in the 15th character position of the event - 15, 16, 17, 18 = year. 19, 20 = month (i have pasted two events below where timestamp = 201301). I'm happy to snap the day to 01 of the month. I know this is not ideal for Splunk.
So at index time I set the following in props.conf
I have included max days ago due to the events age.
But this does not work. I have tried changing the number for time prefix, lookahead, etc to no avail. Attached is a sample of 2 events. If anyone can help me out to get the timestamp extracted, it will be a great day!
Given that the timestamp begins on the 15th character so there would only be 14 characters prefix and I think you ought to lookahead to at least the character position marking the end of the timestamp.