For the purpose of this problem lets say I have one index, in this index I receive syslog events - one such event has three timestamps. I need to extract the third timestamp for this event.
Aug 15 10:27:23 Host2124.bleh Aug 15 10:27:23 Message forwarded from Host2124: AIXAudit: FILE_Write root FAIL Mon Aug 15 10:01:05 2011
The rest of the events in the index tend to have the usual two and is generally not a problem (splunk takes this fine);
Jul 27 16:04:19 Host3212.bleh.co.uk Jul 27 16:04:19 Message forwarded from Host3212
Does anyone know of a method to have the third timestamp extracted only for that first event and leave the rest of the events in the index as they are? Almost as if we said.. If this regex matches then apply the following timestamp parsing..
Note - These events are the same sourcetype, same index..
Thanks in advance
In theory, using TIME_PREFIX with a greedy regex should work. Something like:
TIME_PREFIX="^.*Message forwarded from"
should find the last instance of "Message forwarded from" since .* is greedy and will consume as much as it can. TIME_PREFIX essentially consumes and excludes part of the line from timestamp recognition.
That being said, I'm having trouble getting TIME_PREFIX to work for me at the moment, YMMV.