Hi,
I have the following log format,
How can I break this multiline event on condition that "2020-01-23 03:50:49,063" arrives.
Note that the log needs to be indexed with Local Time.
//******************************************************************************************************
// Module : teste 6.15.0001.77
// Local Time : 23/01/2020 03:50:48.985 (Daylight Saving Time=Off)
// System Time (UTC) : 23/01/2020 06:50:48.985
//
// Domain Name : itau.corp.ihf
//
// 32/64 Bit : 64 Bit
//
// Module Name, File Version, Modification Date:
// ----------------------------------------------------------------------------------------------------
// teste.exe, 6.15.0001.77, 05/08/2019 19:58:36
//
//******************************************************************************************************
2020-01-23 03:50:49,063 | INFO | 4 | testeService.OnStart | | teste | testeService.OnStart: Log Client initialized successfully.
2020-01-23 03:50:49,094 | INFO | 4 | testeService.OnStart | | teste | testeService.OnStart: Trying to load teste modules...
2020-01-23 03:50:49,610 | INFO | 15 | ServiceHost | | teste | testeService.HandleServiceHostLogEvent: Going to register WCF teste
2020-01-23 03:50:53,391 | INFO | 15 | ServiceHost | | teste | testeService.HandleServiceHostLogEvent: Config file already defines ServiceModel configuration, for service teste. Trying to load updated configuration and combine (for Accessible mode only!)...
2020-01-23 03:50:53,485 | INFO | 15 | ServiceHost | | teste | testeService.HandleServiceHostLogEvent: Finished writing updated ServiceModel configuration to config file, for service teste.
2020-01-23 03:50:53,813 | INFO | 15 | ServiceHost | | teste | testeService.HandleServiceHostLogEvent: << All WCF services succeeded to publish. took: 00:00:00.3281398
In this example, the log should be broken into 06 lines, considering the log "2020-01-23 03: 50: 49,063" as the beginning.
Normal processing should handle that. Try these specific props.conf settings.
[mysourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
LINE_BREAKER = ([\r\n]+)
SEDCMD-nocomments = s/^\/\/.*$//g