HI I am using following regular expression for the index time extraction in the props.conf. For some reason, it is not extracting properly.
Event: 2017-03-15T11:30:02.609835+00:00 postfix/pickup[19819]: 89389386: uid=0 from user1
I have defined my sourcetype as mail.
[source::...mail]
sourcetype=mail
[mail]
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6Q%:z
TIME_PREFIX = ^
LINE_BREAKER = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE=5000
Also, is there any websites i can test the TIME_FORMAT regular expression similar to regex101.com?
↧