I've been working a bit over the last few weeks with patterndb - specifically correlating messages. I just noticed that when log messages are correlated, patterndb is skewing the timestamps from the first message (possibly others in between as well) by a few seconds. While, this may not seem like a big problem it results in logs that do not align property in history. A little on the configuration. I have two patterns to match on receiving the second I generate a new message with the format: logHost=${HOST} mapStart=${S_UNIXTIME}@2 mapStop=${S_UNIXTIME} protocol=${PROGRAM} insideAddr=${.dict.insideAddr}@1 insidePort=${.dict.insidePort}@1 outsideAddr=${.dict.outsideAddr}@1 outsidePort=${.dict.outsidePort}@1 destAddr=${.dict.destAddr}@2 destPort=${.dict.destPort}@2 My original log lines are as follows: Dec 1 08:39:41 AX2600 UC: e0a8636e:a16c->5f2c65b3:a16c to 8f2c77ca:a1 Dec 1 08:48:06 AX2600 UF: e0a8636e:a16c->5f2c65b3:a16c The generated log line is: logHost=RHOSTNAME mapStart=1322747067 mapStop=1322747286 protocol=U insideAddr=e0a8636e insidePort=a16c outsideAddr=5f2c65b3 outsidePort=a16c destAddr=80a8650c destPort=3f According to the docs S_ represents the log message time - so that means mapStart should line up, but it does not: 1322747067 == Thu Dec 01 2011 08:44:27. The stop message does not suffer from this issue. Anyone have a workaround for this? I tried using R_UNIXTIME@2 instead, but that is also skewed. -- Frank Clements