Time prefix ;

smudge797 · ‎11-07-2013

I have events that end and start with :

orderLock;null;
2013-11-07 05:55:38.431; Log entry......
162405913;;
2013-11-07 05:55:38.431; Log entry......
;;
2013-11-07 05:55:38.431; Log entry......

I have the time strip as:
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N;
But I want to include the ; at the end of the log entry on the line before the next log entry what regex should I use with the TIME_PREFIX =

ShaneNewman · ‎11-08-2013

TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX = [\r\n]+

Truthfully, these setting should work fine...

smudge797 · ‎11-08-2013

Yeah Im trying to get the Event to break after the ; which is part of the previous entry.

ShaneNewman · ‎11-07-2013

TIME_PREFIX = \;[\r\n]+

smudge797 · ‎11-08-2013

blah blah blah itineraryUnLock;;
2013-11-07 06:00:20.813;baf9f8c8-efa7-4425-982e-a96179f840c6; Lots if text blah blah blah
blah blah blah LockRelease;null;
2013-11-07 06:00:20.851;ad8cd20e-ff45-49ad-8988-c1c2b9f58700; Lots if text blah blah blah
blah blah blah LockRelease;null;
2013-11-07 06:00:20.852;ad8cd21e-ff55-40ad-8990-c2c2b9f58700; Lots if text blah blah blah
blah blah blah ServerAdd;;
2013-11-07 06:00:22.442;6671762e-0a52-4c7b-aee3-69c10b261d99; Lots if text blah blah blah

smudge797 · ‎11-08-2013

Didnt work, maybe Im not being descriptive enough. I put more log data in.

kristian_kolb · ‎11-07-2013

It's a bit unclear what you want to do. Do you want the last ; on the line preceding the timestamp to be part of the same message as the timestamp? In that case it has nothing to do with the TIME_PREFIX, but rather with the line-breaking of the event stream.

Time prefix ;

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...