Hello,
Just a simple question, why do we've some files which start with
t=<epoch_time> ("alarm/notice") and others with just <epoch_time>
("arp/conn") ?
I ask this because i'm writing a little script and it'll
be more easy to only have one format. 
Best regards,
Jean-philippe.
I think the notice/alarm files are the only ones starting with "t="
but they only do that if you use use_tagging=T. We added this tagged
format to make these files more easily parseable (and also readable
IMHO) though you're right that this is inconsistent with other logs.
However, each log file looks pretty much different anyway and so I
would think that you always need some file-specific parsing logic.
Robin
Hello,
I generally agree though there are two issues to consider:
- tagging is not equally well suited for all logs; something like
http.log does is pretty free-form and harder to force into the
tagging-style.
- it breaks backwards-compatibility, which is large thing because
people have scripts to parse the stuff already.
So my hunch is to stay with what we have for now (i.e., tagged for
notice/alarm, non-tagged for the rest). But I'm not claiming that
this is ideal ...
Robin
Hello,