v5.0.4 indexers
I'm trying to get some Apache access logs to index with the correct timestamp, but no matter what I try, I can't get the date/time to be recognized correctly.
Example log:
www.somesite.com somestuff somemorestuff 192.168.1.1 2014-09-22 08:26:39 CDT 200 200 15416 - HTTP "GET blah" some more stuff
I've applied the following in props.conf to the sourcetype:
[thisparticular:apacheaccess]
MAX_TIMESTAMP_LOOKAHEAD=19
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=(?:\d{1,3}\.){3}\d{1,3}\s
The preview highlights the date and time as being found, but with a bit of a mixed up timestamp:
9/20/01 7:22:39.000 AM
I'd prefer having the timestamp first in the raw log (which is still an option for me), but I want to exhaust efforts in trying to get the above to work before making a change to the log format.
Am I missing something simple here?
... View more