Hello guys,
TIMESTAMP_FIELDS must be setup in props.conf on indexers side, therefore how to use TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json? Must we define sub-sourcetypes? Is it possible and how?
First source :
[_json]
TIMESTAMP_FIELDS = @**timestamp**
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
Second source :
[_json]
TIMESTAMP_FIELDS = @**start**
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N.%z
Thanks.
↧