In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
SHOULD_LINEMERGE = false -
TRUNCATE = 0 -
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366
The MAX_TIMESTAMP_LOOKAHEAD setting determines how many characters Splunk should look into each event to find the timestamp. Given the event example '2018-04-13 13:42:41.214 -0500', which is a total of 29 characters long including the timestamp and the space, setting MAX_TIMESTAMP_LOOKAHEAD to 30 ensures Splunk captures the entire timestamp without missing any part of it. Using a smaller value like 10 or 20 would not be sufficient to capture the whole timestamp correctly.
D. MAX_TIMESTAMP_LOOKAHEAD = 30 >>> is right Please find below link https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition
D is correct
MAX_TIMESTAMP_LOOKAHEAD=10 is not enough to catch the whole timestamp
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp."
Is C a better choice ? Because date + time is 19 characters, 20 is ok or am I wrong ?
sorry for my question, I stupidly look at the format.... 30 is good
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.
2018-04-13 13:42:41.214 -0500 is much more than 10 characters long. 30 will catch it.