Hi,
I seem to be incapable of figuring out what regex to provide in the TIME_PREFIX for my source type in order to recognize the second time stamp instead of the first.
Please see a sample event below
"Jun 04 2013 12:00:00:001AM","5333079266","310410257633304","8","Jun 03 2013 03:55:43:000PM"
Thanks
Hello wouterr,
I think as you said bmacias84, and may be set as follows.
TIME_PREFIX=","
OR
TIME_PREFIX=,"
Hello wouterr,
I think as you said bmacias84, and may be set as follows.
TIME_PREFIX=","
OR
TIME_PREFIX=,"
I see you have two timestamps so you want the second timestamp used for _time? if so try
TIME_PREFIX=","
TIME_FORMAT=%b %d %Y %I:%M:%S:%3N:%r