You might want to double-check the first line of your bacula log file and make sure that it doesn't have a regular syslog style timestamp. If it does, this may be throwing off proper detection of the timestamp event for your bacula sourcetype on initial import. I had to delete the first line in my bacula log file and then re-index the data in order to correct the problem.
Also, at the risk of someone telling me that I'm doing my field extractions all wrong (I'm still learning), here is my bacula_logs sourcetype entry in props.conf in case it's helpful to anyone. So far it seems to be working well. If anyone has a suggestion for how I might improve upon it though, I'm open to ideas. 😃
[bacula_logs]
LEARN_MODEL=true
TIME_FORMAT = %d-%b %H:%M
EXTRACT-jobstatus = Termination:\s+\W*(?<jobstatus>(Backup OK|Backup Error|Backup Canceled))
EXTRACT-backupclient-1 = Client: \s*\W*(?<backupclient>[a-z0-9\-A-Z]*)
EXTRACT-backupclient-2 = gethostbyname\(\) for host "(?<backupclient>[a-z\.0-9\-A-Z]*)"
EXTRACT-backuplevel = Backup Level: \s*(?<backuplevel>\w*)
EXTRACT-compression = Software Compression: \s*(?<compression>\S+\s*%)
EXTRACT-sourcehost = \d+-\w\w\w \d+:\d+ \s*(?<sourcehost>\S*)
EXTRACT-jobid = JobId [:]*(?<jobid>\d+)
EXTRACT-byteswritten = SD Bytes Written:\s+(?<byteswritten>\S*)
EXTRACT-origination = ^\d\d-\w\w\w \d\d:\d\d (?<origination>\S+)
EXTRACT-fatal-error = Fatal error: (?<fatal_error>.*)
EXTRACT-fd-status = FD termination status: (?<fd_status>.*?(?=SD term))
EXTRACT-sd-status = SD termination status: (?<sd_status>.*?(?=Termination:))
EXTRACT-jobname = \s+Job: \s+(?<jobname>\S+)
... View more
