I am having a difficult time extracting the correct timestamp from a specific log.
As you can see below, the beginning of the log entry there are two timestamps back to back.
2851,10/06/2011,18:59:29,10/06/2011,14:59:29,1011,
Here is my props.conf
[sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ = America/New_York
TIME_PREFIX = \d{4},\d{2}/\d{2}/\d{4},\d{2}\:\d{2}\:\d{2},
The first timestamp is still being extracted. See anything wrong here?
EDIT: Can I perform these actions on a Universal Forwarder? Now that I think about it, I can't. Only a Heavy forwarder, correct?
EDIT: Looks like this was my fault. I had been trying this on a Universal Forwarder - I moved this to my Heavy Forwarder and it works! Thanks.
... View more