The timestamp is at the very beginning of a multi-line event. I have also played with TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD without luck.
The current config I have is:
NO_BINARY_CHECK=1
BREAK_ONLY_BEFORE_DATE=true
CHARSET=ISO-8859-1
LEARN_SOURCETYPE=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y.%m.%d %H:%M:%S:%3N %Z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=27
I've tried uploading a file into the index to make sure it wasn't a problem with the data previewer but it still comes in without the milliseconds.
... View more