I've got some logs that are in a format like this
2013-12-29 08:23:21,151 - INFO - 1.1.1.1 - None - None - SERVER1 - User keynote@test.com logged in... - Mozilla/4.0 (compatible; MSIE 8.0; Webmetrics; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
as you can see the field delimiter here is " - " (including the spaces). When I setup my custom sourcetype and field extractions using
DELIMS=" - "
it seems to be ignoring the spaces and breaking the fields at the first "-" rather than " - ". I'm getting "2013" as my first field rather than "2013-12-29 08:23:21,151"
I've tried using DELIMS="\s-\s" and that doesn't seem to work either.
Anyone have any ideas?
... View more