The date format in your log file can be different from the default date format supported by Log Analysis insight pack. For example if your log file contains following lines and you want to use IBM MQ Series insight pack to parse these lines.


The default date format supported by the Source Type provided in IBM MQ insight pack is MM/dd/yyyy HH:mm:ss which is different from the date format in your log file which is MM/dd/yyyy hh:mm:ss aa.

In order to index your logfile, you need to create a copy (clone) of the sourcetype WMQ_AMQERR from IBM MQ Series Insight pack,and modify the date format. This is made easy in Log Analysis 1.3.2 where you can provide inputs in UI v/s modifying json text in previous versions of Log Analysis.

In order to clone source type, after logging in,

a) go to Administrative settings, under Data Types tab, expand Source Types, select WMQ_AMQERR and click on clone icon, a form pre-filled with splitter and annotator details will be presented to you as shown below.


b) Change the name of the source type. For example customer1_wmqerr and then click on Edit index Configuration button, which will show the table view of all fields including timestamp as shown below.


c) to change the date format, click on DATE drop down box, A form displaying different date formats will appear, if the date format from your log file does not exist here. you could enter it manually as shown below. uncheck the previously chosen date format and click on OK. you can see the new date format in the table as shown below.

Click on OK on this screen and OK on cloning screen, when presented with a confirmation text window, click OK there. A new SoureceType which is copy of WMQ_AMQERR is now ready for use. You can create a new datasource with this source type and index your log file and search them.

You can also change attributes of fields during cloning as needed for your logs, Example you want to change the filterable attribute of a field, you could change it during SourceType cloning.

