I have two timestamps in my log as shown below:
"#01#20180626-125301;969#19700101-000028;723#0046#01#GROUND#Y#4Y1651"
My sourcetype is written in a way to pick up the second timestamp within 5000 days. Now, since the date in the above example is 19700101, it attached the indexation time as the timestamp of the event. But is there a way to select the first time as the timestamp of the event when my second timestamp is invalid?
↧