I am trying to extract following data, and I want the date which is in EVENT tab as default TIME field which is extracted by _time.
Sample data:
2012-02-03 20:11:56 SampleClass3 [INFO] everything normal for id 530537821
2012-02-03 20:11:56 SampleClass3 [TRACE] verbose detail for id 1718828806
2012-02-03 20:11:56 SampleClass8 [DEBUG] detail for id 2083681507
Current Output:
I have tried using different time formats in my prpos.conf but it didn't work for me. My current props.conf is as follows :
[source::/root/sample.log]
TRANSFORMS-extracted_data = extract-log-type extract-log-date
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = FALSE
There has been a lot of Q&As about _time but I have not found any definitive answers. Any help is appreciated!
Thank You
... View more