- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an event that starts something like this:
2012-03-20 06:07:00.000,BLANK,11.12.13.14,,,IP,Linux hostname 2.6.18-194.el5 1 SMP Tue Mar 16 21:52:39 EDT 2010 x86 64,
The first field is the timestamp of the event, I've inserted a blank value to separate it from the IP it seemed to not be identifying that as a proper timestamp. The problem I've got is the parser is using the time portion of the timestamp (06:07:00) but the date from the kernel string ( "Mar 16 .... 2010" ).
Within inputs.conf I've tried adding a prefix to lock the lookahead to the start of the event and not look beyond the end of the timestamp, but it still picks out the wrong thing.
TIME_FORMAT = %Y-%m-%d %H:%M:$S.000
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are good settings, but they belong in props.conf, not inputs.conf. And the stanza header for props.conf is a little different.
[yourSourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S.000
MAX_TIMESTAMP_LOOKAHEAD = 25
should do it. You might not even need the time format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are good settings, but they belong in props.conf, not inputs.conf. And the stanza header for props.conf is a little different.
[yourSourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S.000
MAX_TIMESTAMP_LOOKAHEAD = 25
should do it. You might not even need the time format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doh!
Thanks.
