Hi
Please use below config in props.conf
TIME_FORMAT = %d/%b/%Y:%H:%M:%S %z
TIME_PREFIX = \[
If above config will not work then please provide some sample data with full events (Mask any sensitive data)
Hi @harsmarvania57
I tried the same but not working...
For reference my access.log file looks like this.
"time_stamp" "auth_user" src_ip status_code "req_line" "categories" "rep_level" "media_type" bytes_to_client bytes_from_client "user_agent" "virus_name" "block_res" "application_name"
[29/Mar/2019:06:04:57 +0530] "" 176.6.60.56 403 "GET http://abcd.com/HTTP/1.1"; "Software/Hardware" "Minimal Risk" "" 8811 237 "Microsoft-CryptoAPI/6.1" "" "0" ""
[29/Mar/2019:06:04:57 +0530] "asharma072315" 176.6.50.55 200 "POST https://obdefw.com/HTTP/1.1"; "Web Mail" "Minimal Risk" "" 1208 7687 "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.9126; Pro)" "" "0" ""
I need to add props and transforms.conf for the same file and create and new source_type i think. As i dont find any generic sourcetype which supports this kind of log file.
Please help.
If you have timestamp [29/Mar/2019:06:04:57 +0530]
in above raw data enclosed with "
like this "[29/Mar/2019:06:04:57 +0530]"
then you can use below configuration. Are there any chance to encoded timestamp with "
?
props.conf
[yoursourcetype]
FIELD_DELIMITER = space
TIMESTAMP_FIELDS = time_stamp
Do you mean you need setting/parameter on Indexer in props.conf to identify timestamp correctly from raw data ?
yes @harsmarvania57