For the purpose of this problem lets say I have one index, in this index I receive syslog events - one such event has three timestamps. I need to extract the third timestamp for this event.
Aug 15 10:27:23 Host2124.bleh Aug 15 10:27:23 Message forwarded from Host2124: AIXAudit: FILE_Write root FAIL Mon Aug 15 10:01:05 2011
The rest of the events in the index tend to have the usual two and is generally not a problem (splunk takes this fine);
Jul 27 16:04:19 Host3212.bleh.co.uk Jul 27 16:04:19 Message forwarded from Host3212
Does anyone know of a method to have the third timestamp extracted only for that first event and leave the rest of the events in the index as they are? Almost as if we said.. If this regex matches then apply the following timestamp parsing..
Note - These events are the same sourcetype, same index..
Thanks in advance
... View more