The sourcetype appears to take that into account already. I can't figure out why events are getting the wrong timestamp, and are being combined. There are two artifacts occurring and I can not seem to replicate them.
props.conf
[mysql:generalQueryLog]
KV_MODE = multi_mysql_query_log
TRUNCATE = 0
TIME_FORMAT = %y%m%d %H:%M:%S
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^(\d{6})\s
EXTRACT-login_success = Connect\s*(?<user>[^@]+)@(?<client_host>\S+)
EVAL-action = case(isnotnull(client_host), "success")
EVAL-Id = case(isint(Id), Id)
MAX_TIMESTAMP_LOOKAHEAD = 128
This is what an event should look like with a timestamp of 08/03/2015 4:42:02;
150803 4:42:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
This is artifact #1 (Wrong timestamp, truncation of event start) that shows a timestamp of 10/29/2015 8:42:02;
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:44:08 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:47:12 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
Artifact #2 ( wrong timestamp, and failure to break event ) that shows a timestamp of 10/29/2015 8:42:02;
150803 4:42:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:43:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:44:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:45:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
150803 4:42:02 102917 Connect
[email protected] on whatever
102917 Query select @@version_comment limit 1
102917 Query SELECT * FROM whatever WHERE foo Or bar
... View more