Splunk is indexing a log file that has a format like this:
11:03:51.319 Notify Host: HOST_STATUS_UNKNOWN {279, bdl58056}
The events can also be multi-line. So, I set up the props.conf for this sourcetype like this:
SHOULD_LINEMERGE = true
TIME_PREFIX = \d{2}:\d{2}:\d{2}\.\d{3}\s
TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13
BREAK_ONLY_BEFORE_DATE = true
The timestamp doesn't seem to be getting picked up and assigned to _time correctly. How do I set up the event timestamp properly when the "timestamp" on the event is only the time (I can assume the date is the current date)?
