Hi All,
I have created an index and sourcetype for two logs files.
I have set up my props.conf to extract the date/time and separate onto one line, however one of my logs has a colon after the time and it is not separating out correctly.
see below.
19/09/2017 13:34:51.438
2017-09-19 13:34:51.438683 [ptp1:pps--phc1(ens1f0/ens1f1)], last: 0, mean: 0, min: 2147483647, max: -2147483647, bad-period: 0,
overflows: 0
19/09/2017 13:34:51.437
2017-09-19 13:34:51.437853: warning: ptp ptp1: failed to receive Announce within 12.000 seconds
2017-09-19 13:34:51.437898: debug: ptp ptp1: state PTP_LISTENING
2017-09-19 13:34:51.437911: debug: netRefreshIGMP
19/09/2017 13:34:50.823
2017-09-19 13:34:50.823439 [phc0(ens1f0/ens1f1)->system], offset: -8.875, freq-adj: -42949.984, in-sync: 1
my props.conf file
[ptp_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ^\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\.\d{6}\s
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_PREFIX = ^
If I put a colon into regex it will miss the other log file.
Is the only way to do this two sourcetypes?
Thanks,
↧