Skip to main content
Panther Knowledge Base

Can I use Panther's fastmatch in a custom schema for timestamps with spaces?

QUESTION

How do I set up a custom schema using fastmatch if the logs I'm using have timestamps in a format like the following?

Feb 16 15:52:45 system app[123]: Message with spaces

ANSWER

Fastmatch doesn't support timestamps with spaces because fastmatch treats spaces as a delimiter. For logs like the sample above, we would recommend using regex, such as the following.

([A-Z][a-z]+ \d{1,2} \d{2}:\d{2}:\d{2}) (.*)

For more information about fastmatch, see our documentation here.

 

  • Was this article helpful?