timeformat are not getting extracted properly, we have one type of timestamp but clock there is different. It is starting from 0 - 24 hours and date starting from 1- 31, and also same for month 1- 12, see timestamp example below.
[8/10/18 0:20:37:469 EDT]
[8/9/18 11:59:59:796 EDT]
[8/9/18 13:16:38:194 EDT]
[8/12/18 1:49:08:943 EDT]
[8/11/18 22:59:45:370 EDT]
I tried to use this props.conf but didn't work
[sourcetypename]
BREAK_ONLY_BEFORE = \[\d+\/\d+\/\d+\s\d+[:]\d+[:]\d+[:]\d+\s\w{3}\]
TIME_FORMAT = %m/%e/%y %k:%M:%S:%3N
After this I tried to extract using datetime.xml, that is working for some extent but not fully. Using that I am getting delay in indexed event timestamp, please help...
↧