Trying to get the first occurrence of the timestamp to be used for _time
LogFile:
2016/05/27 06:30; 2016/05/27 06:29:18 Test1 :Service1
2016/05/27 05:30; 2016/05/27 05:24:16 Test2 :Service2
Have used props.conf to use MAX_TIMESTAMP_LOOKAHEAD=15, and also TIME_PREFIX = ^; still looks at the second timestamp
inputs.conf:
[monitor:LogFile]
index = test_index
sourcetype = sourcetype_new
source = host1
props.conf
[sourcetype_new]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 15
search:
source=host1 sourcetype=sourcetype_new *
Output:
Time - Event
2016/05/27 06:29:18 - 2016/05/27 06:30; 2016/05/27 06:29:18 Test1 :Service1
2016/05/27 05:24:16 - 2016/05/27 05:30; 2016/05/27 05:24:16 Test2 :Service2
↧