I have date and time in this format,
[2010/01/14@08:43:17.561+0100]
How to read it correctly into Splunk?
Give this a try (props.conf on your indexer/heavy forwarder)
[yoursourcetype]
....other line breaking stuffs...
TIME_PREFIX = \[
TIME_FORMAT = %Y/%m/%d@%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 28
Give this a try (props.conf on your indexer/heavy forwarder)
[yoursourcetype]
....other line breaking stuffs...
TIME_PREFIX = \[
TIME_FORMAT = %Y/%m/%d@%H:%M:%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 28