Hi
I have the following configuration:
timestamp format : %c
timestamp prefix: `Start\sTime:\s+`
lookahead: ???
I want a configuration that will look for the timestamp through the entire event regardless of the size of the event. Is there any value that can be setup to lookahead for this configuration? If I setup lookahead to 100000 and the timestamp is after the 100 character, Would Splunk go through the entire event even though it find the timestamp during the first 100 characters?
↧