The first time format is
Fri Dec 21 11:17:30 2018
the other one is
2018-12-21T11:17:31.051061
I was wondering how i would line break this, and also, how would I format the time format to accept both times?
If a single file has more than 1 timestamp format then the developers should get a serious paddling and either split the events or pick one format and stick to it. Until that happens, you can force Splunk to look for both with a custom datetime.xml
file:
https://www.splunk.com/blog/2014/04/23/its-that-time-again.html
Each unique format should be tied to a sourcetype. You create base configs that tell Splunk how to read the timestamp and break the events properly relative to the sourcetype. In theory, you write the sourcetype rules once for each log format and you tie new events to that sourcetype
Yeah I know that. What I was wondering is there a way to properly format two different time formats located in one log file
Well yeah.. If they are in the same log file then assuming they are of the same type, they should be in he same format. If not, then you can route them to a different sourcetype
Use the documentation for sourcetype override. Have timestamp parsing for both sourcetypes as per your needs. While pulling data from index, pull both sourcetypes: