Yes - it does not do what it is supposed to do. I want to extract the day from "Aug 18 17:11:16" and "Aug 8 17:11:16". %e is not white space padded.
... View more
See my answer to a similar question
http://splunk-base.splunk.com/answers/36207/how-do-i-configure-timestamp-extraction-where-day-may-be-one-or-two-digits
hth,
Kristian
... View more