I've setup a field extractions with K=V; format and every field is working correctly except for the first field, "timestamp"
Here's the format I'm starting with:
timestamp=value;key=value;key=value...key=value
In transforms.conf:
[kv_extraction]
DELIMS = ";", "="
The result:
timestamp:
timestamp=value;key=value;key=value...key=value
(in other words the timestamp field is being extracted as the entire event or _raw)
*Note _time is showing up correctly
key:
value
(working correctly and shows only the extracted value for all the remaining fields)
Am I doing something wrong here?
P.S.
I tried adding this to props.conf and it did nothing:
TIME_PREFIX= timestamp=
↧