I'm currently working through each of my companies Java apps and updating their sourcetypes using transforms and regexing each sourcetype. With a few exceptions, most apps will have an app, access and audit log.
The one issue i've now run into is that one of the apps we use has several logs that would fall under the "app log" remit however, the log formatting is completely different so there is no way to use the standard regex we use for app logs.
for example, a standard app log would have each entry prefixed with the following date/time:
2020-02-10T00:02:39,851
The app i'm currently working on has an app log of:
Feb 10, 2020 10:40:03 AM GMT
Is it possible to have multiple BREAK_ONLY_BEFORE regexes for a sourcetype in props.conf? i'm trying to avoid having to create a brandnew sourcetype just for one apps app log.
i hope this question makes sense. please let me know if you need any more information.
... View more