I need to setup a props for an event with the following format. Not certain what to put for "Z" (or if it's needed at all)..
<166>2015-06-09T18:07:27.999Z dtgdman67esx.abc.com Vpxa: [2F582B70 verbose 'hostdstats'] Set internal stats for VM: 250 (vpxa VM id), 1313 (vpxd VM id). Is FT primary? false
Here's my props.conf:
MAX_TIMESTAMP_LOOKAHEAD = 40 NO_BINARY_CHECK = 1 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N SHOULD_LINEMERGE = false TIME_PREFIX = > LINE_BREAKER = ([\r\n]+) ANNOTATE_PUNCT = false KV_MODE=auto
Presumably the "Z" is for "Zulu" (AKA "GMT" and "UTC") so we will just ignore it as part of the timestamp (unless some times have other characters than "Z"); try this:
MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N SHOULD_LINEMERGE = false TIME_PREFIX = [^\>]*> ANNOTATE_PUNCT = false KV_MODE=auto TZ = UTC
Thanks. I tested it, and it looked correct, but after I imported it, the timestamp was incorrect. (Should be eastern, but took the timestamp in the event.