Here is a sample log:
2010-05-06 16:41:18,082 INFO SplunkCLI :: Executing: "/Users/hs/bin/" status space
Thu May 6 16:40:42 2010 1 unknown /var/folders/0g/0g2PnEjcEOeS9P-W4W4aIQkTMTmp9142.txt
---------------------------------------
Collapse files into common directories?
---------------------------------------
Enter [Y]es or [N]o >
------------------------------
Index found files into splunk?
------------------------------
Enter choice: All/Some/[None] > 0
2010-05-06 16:41:54,364 INFO splunk_data :: report_item_fspath='/Users/hstest_find_ascii' file_name='test_found.py' test_name='test_find_ascii' test_result='PASSED' error_message=''
2010-05-06 16:41:54,364 INFO conftest :: RUNTEST_TEARDOWN test_ascii runtime=163
Currently splunk sees this as two events:
2010-05-06 16:41:18,082 ...
Thu May 6 16:40:42 2010 ...
How can I correctly extract the timestamp to turn the sample log above as three events?
2010-05-06 16:41:18,082 ...
2010-05-06 16:41:54,364 ...
2010-05-06 16:41:54,364 ...
My props.conf in etc/apps/my-app/local/props.conf looks like this:
[sourcetype::testlog]
MAX_TIMESTAMP_LOOKAHEAD = 25
... View more