Here's an example beginning of an event line
Oct 20 20:57:03 sfo-prd-wsux02 apache2: [Fri Oct 20 20:57:03.398765 2017] [proxy:error] [pid 32083:tid 140031679186688]
I'm trying to capture the second timestamp as "Fri Oct 20 20:57:03.398765 2017" that includes the subseconds
In props.conf I am putting:
[syslog_apache_error]
TIME_PREFIX = ^.*\[
TIME_FORMAT = %a %b %d %H:%M:%S:.%6N %Y
However Splunk's timestamp is catching the decimals, please advise.
Thank you all
↧