Solved: Re: How to edit props.conf to cope with two differ...

ssaenger · ‎09-19-2017

Hi All,

I have created an index and sourcetype for two logs files.
I have set up my props.conf to extract the date/time and separate onto one line, however one of my logs has a colon after the time and it is not separating out correctly.

see below.

19/09/2017     13:34:51.438 
2017-09-19 13:34:51.438683 [ptp1:pps--phc1(ens1f0/ens1f1)], last: 0, mean: 0, min: 2147483647, max: -2147483647, bad-period: 0, 
overflows: 0
19/09/2017 13:34:51.437 
2017-09-19 13:34:51.437853: warning: ptp ptp1: failed to receive Announce within 12.000 seconds
2017-09-19 13:34:51.437898: debug: ptp ptp1: state PTP_LISTENING 
2017-09-19 13:34:51.437911: debug: netRefreshIGMP
19/09/2017 13:34:50.823 
2017-09-19 13:34:50.823439 [phc0(ens1f0/ens1f1)->system], offset: -8.875, freq-adj: -42949.984, in-sync: 1

my props.conf file
[ptp_log]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}\s
MAX_TIMESTAMP_LOOKAHEAD = 26
TIME_PREFIX = ^

If I put a colon into regex it will miss the other log file.
Is the only way to do this two sourcetypes?

Thanks,

DalJeanis · ‎09-19-2017

try this...

BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}[\s:]

View solution in original post

DalJeanis · ‎09-19-2017

try this...

BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}[\s:]

ssaenger · ‎09-19-2017

worked a treat thanks.

How to edit props.conf to cope with two different time values in log file

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!