I was having the hardest time with this today - thank you for the tip, @nekb1958.
I had switched from "sample" to "replay" as well and kept getting the same error over and over. I didn't understand @nekb1958's answer at first, but now I see what I'm supposed to do. I'm documenting it further below.
In my example, the timestamp looked like this:
Oct 16 10:59:54
In SAMPLE mode, you would use the three lines as follows, where the token regex is completely separate from the replacement format.
token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.2.replacementType = timestamp
token.2.replacement = %d/%b/%Y:%H:%M:%S.%f
Here, the token does not need to match the replacement - the replacement variable is the POSIX format of the timestamp you want EventGen to insert into the result, while the token is the string you want to match. In the above case, I changed the timestamp to a new format just as an example.
In REPLAY mode, however, it seems the token regex and the replacement need to match.
token.0.token = \w{3} \d{2} \d{2}:\d{2}:\d{2}
token.0.replacementType = timestamp
token.0.replacement = %b %d %H:%M:%S
That way, it knows where to look for a timestamp (via token regex) and it knows the POSIX format of the timestamp (via replacement format).
... View more