Hi all,
Here is how my raw logs look. I need help with props.conf so that I can index by the second time field instead of the first one.
Sep 19 12:45:19 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:25:16.056 devname=123 device_id=123 type=alert
Thanks in advance
You'll want to use something like this in the props.conf
:
TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
Hey @dmenon84, if @cpetterborg's solution+comment worked then please don't forget to accept his answer to award karma points and close the question. 🙂
You'll want to use something like this in the props.conf
:
TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
Thanks for quick response. Before I try this what do you think about my line breaker in props file
TIME_FORMAT=%Y.%m.%d - %T.%N
TIME_PREFIX=timestamp=
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n\r]+)\w+\s+\d+\s\d{2}:\d{2}:\d{2}
Each events starts with a timestamp
Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=1123 device_id=abc type=alert
Sep 19 12:23:26 129.106.x.x fdbsyslog: timestamp=2017.09.19 - 12:03:22.980 devname=123 device_id=cde type=alert
More easily understood is the ^
instead of ([\n\r]+)
, be more specific on the month, and use BREAK_ONLY_BEFORE, so I'd do:
BREAK_ONLY_BEFORE = ^\w{3}\s+\d+\s\d{2}:\d{2}:\d{2}
Thank you for all the help !