In myy log, there are two timestamp formats like this:
logname=test. msg=[20150602 111413] aaa
logname=test. msg=[111400:808] bbbbbb
A) [20150602 111413] means At 11:14:13 on June 2nd, 2015
B) [111400:808] means 11:14:00 808 milliseconds
How do I configure the props.conf file to get these two timestamps simultaneously? Sometimes my log is indexed with timestamp A and sometimes timestamp B.
Thanks for your help .However,I donot know how to use TIME_FORMAT ,which log has two timestamps.
I have done like this:
TIME_FORMAT=(%y%m%d %H%M%S) | (%H%M%S:%3N )
But,the TIME_FORMAT has no use in any one.
I think ,to have the two timestamps, we need only to set the TIME_FORMAT to the format of 11:14:00 808 milliseconds
.By doing so the other timestamp will be set by default to the same format.
SO try this TIME_FORMAT= %y%m%d %H%M%S%3Q
where 3Q is for milliseconds.
AND do not forget to specify TIME_PREFIX . your stanza in props.conf will look like this for example:
TIME_PREFIX = ][
TIME_FORMAT = %y%m%d %H%M%S%3Q
TIME_FORMAT starts reading after the TIME_PREFIX (or directly at the start of the event, if there's no TIME_PREFIX attribute).