I have a log that looks like this:
2010/06/28 12:44:21 -
-ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) : 2010/06/28 12:44:21....
when I index it with the main index I get two events:
2010/06/28 12:44:21 2010/06/28 12:44:21 -
2009-05-12 12:44:21 -ERROR(Version: 1.0 Buildguy from 2009-05-12 08.45.26) :
2010/06/28 12:44:21....
my problem here is the Date for the second event is using one from the error message not the second date which is the one I need for my timestamp.
I also tried a props.conf that looks like this:
[I2]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\d\d/\d\d/\d\d \d\d:\d\d:\d\d -
I only get one event using this I2 index:
2010/06/28 12:44:21 2010/06/28 12:44:21 -
Is there any way I can index this merging the Date with the error message or pull the second date from the Error message for the timestamp. I was not sure If the space between the Date and ERROR message was the problem and if it is, is there a way around this so i can merge these together.
... View more