For one of our syslog devices, some events that come through only contain the syslog datetime format, while there are others that contain the syslog datetime AND a "timestamp=" field at the end of the event. What would be the best to setup timestamp recognition where it first reads the "timestamp=" field and if the event does not contain that field, then for it to look at the syslog datatime at the beginning of the event. The timestamp field and the syslog datetime are two different formats too. See below for an example.
Sep 23 23:59:57 2016 aa_wlc_01 wms[1234]: <123456> |ids| AP(aa:aa:aa:aa:aa:aa@aa-aa-aa): Wireless Bridge: An AP detected a wireless bridge between transmitter aa:aa:aa:aa:aa:aa and receiver aa:aa:aa:aa:00:00. SNR value is 25. Additional Info: BSSID:aa:aa:aa:aa:aa:aa; Channel:1.
Sep 23 23:59:44 2016-09-23 23: 59:44,5 192.168.111.111 CPPM_RADIUS_Accounting_Detail aaa 1 0 id=aaa,session_id=aaa-01-aaa,acct_session_id=aaa\\aaa-aaa,type=aaa,attr_name=aaa-Location-Id,attr_value=aaa.6-aaa-aaa,timestamp=2016-09-23 23:58:35-07
↧