Hi,
I have the following log format,
How can I break this multiline event on condition that "2019-11-12T09: 51: 28.291" arrives.
Note that the log needs to be indexed with Local Time.
Application Name: teste
Application Type: teste
Application Host (config spec): teste
Application Id: 1678
Application Version: teste
Application Backup: teste
Application Connections:
teste (INTERACTION_SERVER) on teste
teste (CONTACT_SERVER) on teste
teste (MESSAGE_SERVER) on teste
teste (CONFIG_SERVER) on teste
teste (CONFIG_SERVER) on teste
Timezone Display name: Brasilia Time
Timezone UTC offset: 03:00:00
UTC Start Time: 2019-11-09T05:25:11.154
Running Time (DDD:HH:MM:SS): 003:07:26:17
UTC Time: 2019-11-12T12:51:28.338
Local Time: 2019-11-12T09:51:28.338
Memory Usage (bytes): 306847520 / 372248576
Host Info: Windows Server 2008 R2
Host Architecture: amd64
OS Version: 6.1
File Encoding: Cp1252
Start Folder: teste
File: teste
Java Vendor: Oracle Corporation
Java Version: teste
Java Home: D:\Program Files\Java\JAVA231
Application Options: {
{ settings ['max-cnx-to-ucs' [str] = "30", 'webapi-port' [str] = "8777", 'ucs-reconnect-timeout' [str] = "80000", 'cnx-to-ucs-wait-time' [str] = "120000", 'ucs-duplex-mode' [str] = "FALSE", ]}
2019-11-12T09:51:28.291 Dbg 23058 [MsgIn] Ended defined Clients :
The log should be one line until it finds "2019-11-12T09: 51: 28.291", but must be indexed with local time, in the case "2019-11-12T09: 51: 28.338".
I am a little confused about your line breaking question, so i am assuming a second event with the same format will follow what you have pasted in, and so the line breaker is the newline following a line that starts with a timestamp (see https://regex101.com/r/uB6tJJ/1 )...
This also uses the Local_Time as the timestamp for the event.
[sourcetypename]
disabled = false
LINE_BREAKER = [\r\n]\s+?\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{3}\s.+([\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = Local\sTime\:\s+
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3n
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 10000
Did you mean to say you need to break event every time it finds `2019-11-12T09:51:28.291 ' in your log file?
Is that time stamp going to be constant or that is going to change?
And also as I understand, you need to pick the local timestamp of indexer as _time not the time in event?
Please confirm?
Also, we appreciate , if you could provide some more sample data
What do you mean "The log should be one line until?" Do you mean that everything from the "Application Name:" through the line starting with the date is supposed to be the event? Or do you mean something else?
Need more clarity on this question.