QUESTION

How do I set up a custom schema using fastmatch if the logs I'm using have timestamps in a format like the following?

Feb 16 15:52:45 system app[123]: Message with spaces

ANSWER

Fastmatch doesn't support timestamps with spaces because fastmatch treats spaces as a delimiter. For logsĀ like the sampleĀ above, we would recommend using regex, such as the following.

([A-Z][a-z]+ \d{1,2} \d{2}:\d{2}:\d{2}) (.*)

For more information about fastmatch, see our documentation here.