The following settings don't seem to be able to tell Splunk to locate the timestamp, although I have tried using the same regex in vi editor to verify that the expression is correct. Any idea?
TIME_FORMAT=%d%t%b%t%H:%M:%S
TIME_PREFIX=\d{2}\s\w{3}\s\d{2}:\d{2}:\d{2}
Sample of the log:
[27779] 27 Mar 22:01:27 * 1 changes in 900 seconds. Saving...
[27779] 27 Mar 22:01:27 * Background saving started by pid 3915
[3915] 27 Mar 22:01:27 * DB saved on disk
[27779] 27 Mar 22:01:27 * Background saving terminated with success
[27779] 27 Mar 22:05:35 # Received SIGTERM, scheduling shutdown...
[27779] 27 Mar 22:05:36 # User requested shutdown...
[27779] 27 Mar 22:05:36 * Saving the final RDB snapshot before exiting.
... View more