How can I pars this log with different date format?
data.log:
2011.06.30 16:06:11 data data data data bla bla
30.06.2011. 16:06:10 data data data bla bla data
...
You can't use TIME_FORMAT
in this example, because that assumes there is a single timestamp format within the file.
It's possible that both of these formats are in datetime.xml
already, which would let Splunk parse them without help. If not, you could make a custom datetime.xml
that has both of these formats in it. That should let the timestamp parser differentiate between the two and parse appropriately.
I need include both date format. I need include everything in this log.
You can't use TIME_FORMAT
in this example, because that assumes there is a single timestamp format within the file.
It's possible that both of these formats are in datetime.xml
already, which would let Splunk parse them without help. If not, you could make a custom datetime.xml
that has both of these formats in it. That should let the timestamp parser differentiate between the two and parse appropriately.
THX for help. It seems that splunk correctly recognize and separate events without define sourcetype.
I try to define sourcetype=datalog and in props.conf define just stanza name without any options and works!
Could you edit your question to clarify what you'd like to see in terms of a date format? Which of the two formats here would you like to include/exclude?