Hi everyone!
I have a log with a strange format. In the filename, it is a full date and an hour of event and the minute:second are in the events inside the file, line by line.
For example:
File name: 16110810.log // it means yymmddHH
Lines:
10:01 xxx xxx xxx // it means MM:SS
10:02 yyy yyy yyy // it means MM:SS
Does anybody have an ideas how to extract time correctly other than in search time with eval?
I tried changing datetime.xml, but I have also hour stamp in a file name and it doesn't worked. Now I'm thinking about overwriting the _time field at index time, but not sure it is possible. Maybe any workaround? I have this data in a dedicated index and with its own sourcetype, of course.
... View more