I've been uploading large files, with each line being a message to be ingested by sumologic. Each line contains a json string, with one field being "Timestamp" and a value based on the run time e.g. "Timestamp": "2018/01/11 19:15:46"
In my collector for this file, I have set up to extract timestamp from the log, using format: "yyyy/MM/dd HH:mm:ss", and a locator: \"Timestamp\"\: \"(.*?)\" .
Some of the time, when Sumologic ingests the file, it finds the timestamp correctly and configures the message with the right time, but for other parts of the same log file it will ignore the timestamp and use (system) time instead. When this happens, all logs after a certain point in the file will be parsed differently.
As far as I can tell, both messages before and after the 'split' have the same format.
This problem is not consistent, sometimes it will occur, sometimes it will not. Most of the data is consistent from file to file.
Please sign in to leave a comment.