The feature of timestamping being done before SEDCMD is useful. I have logs which are pipe-separated key=value pairs, but with a leading timestamp before the key-value pairs.
The key-value extractor churns out lots of spurious field names starting with a timestamp, but I am going to try using SEDCMD to remove the timestamp before using REPORT-fields = pipe-kv
... View more