Hi.
I have two message formats falling into the same index. One of these message formats only contains one timestamp without milliseconds, but the second format contains a second timestamp **with** milliseconds. For reference:
Message format #1 with two timestamps, the second timestamp has milliseconds:
<181>Jan 27 15:15:26 monitor2 CISE_System_Statistics 0000006805 1 0 2017-01-27 15:15:26.036 +00:00 0000036144 70001 NOTICE System-Stats:
Message format #2 with one timestamp:<180>Jan 27 15:15:32 CISE_Alarm WARN: RADIUS Authentication Request dropped :
I have configured the sourcetype to correctly pull out the second timestamp:
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %:z
TIME_PREFIX = \d{10}\s(?:\d\s){2}
SHOULD_LINEMERGE = true
This correctly processes format #1, but now events with message format #2 are merged into a single event. Is there a way to configure Splunk to pick the second timestamp from format #1, but the first timestamp for format #2?
↧