I have tried a few combinations of formats/parsers to get the date and time fields combined and show up in LogInsight as the timestamp field. All the other fields work and the timestamp field populates with the timestamp of when the agent processed the file. I would have loved the CLF parser to support any white space as a delimiter, but alas no such luck.
This is a tab delimited file with time and date in separate fields
2018-02-15 13:24:47 - 192.123.241.196 GET /sample/url 200 18286 0.001 - -
format=(?<timestamp>[^\t]*)\t(?<timestamp>[^\t]*)\t(?<remote_auth_user>[^\t]*)\t(?<remote_ip>[^\t]*)\t(?<request_method>[^\t]*)\t(?<requested_url>[^\t]*)\t(?<status_code>[^\t]*)\t(?<response_size>[^\t]*)\t(?<request_time_sec>[^\t]*)\t"?(?<User_Agent>[^\t]*)"?\t"?(?<Referer>.*)"?
field_decoder={"timestamp": "timestamp"}
LogInsight agent logs:
Parser 'WebLogicAccessParser' return the following fields: timestamp="2018-02-15", timestamp="2018-02-15", remote_auth_user="-", remote_ip="192.123.241.196", request_method="GET", requested_url="/sample/url", status_code="200", response_size="18286", request_time_sec="0.001", user_agent="-", referer="-"
LogInsight timestamp: 2018-02-15 13:24:48.212
expected LogInsight timestamp: 2018-02-15 13:24:47.0
also tried the following with the date and time fields becoming independent from the timestamp field the the timestamp field being about 1 second out of sync. When the agent is stopped and then restarted, the timestamp is further away from the actual event
format=(?<date>[^\t]*)\t(?<time>[^\t]*)\t(?<remote_auth_user>[^\t]*)\t(?<remote_ip>[^\t]*)\t(?<request_method>[^\t]*)\t(?<requested_url>[^\t]*)\t(?<status_code>[^\t]*)\t(?<response_size>[^\t]*)\t(?<request_time_sec>[^\t]*)\t"?(?<User_Agent>[^\t]*)"?\t"?(?<Referer>.*)"?
field_decoder={"date": "timestamp","time": "timestamp"}
