we have a syslog message like:
Mar 20 16:27:09 hostname.com Mar 20 16:17:01 hostname 2020-20-03 16:27:02,486 hostname messsage
with a sedcmd I can remove the first part until the year.
Then I have:
2020-20-03 16:27:02,486 hostname messsage
If there is another timestring in the message I have to us TIME_RPEFIX in props.conf.
What regex do I have to use? Starting at line beginning (that is after sedcnd) oder on the initial message with a ittle bit more regex?
What is theparsing order splunk uses in props.conf? First sedcmd and the prefix or is stripping the very last thing splunk does with the event?