Azure Monitor Agent -Data Collection Rules / Custom Text Logs

Minas Stam 20 Reputation points
2026-06-09T12:05:56.9466667+00:00

We are experiencing an issue with Azure Monitor Agent (AMA) Custom Text Log ingestion

During testing, we observed that AMA correctly identifies new log records when the hour is zero-padded (for example 01:55:00 PM), but fails to consistently recognize timestamps when the hour is not zero-padded (for example 1:55:00 PM).

As a result, multiline log entries are either split into multiple records or merged into adjacent events, causing inaccurate ingestion of the audit data.

To validate the issue, we created multiple test files using different timestamp combinations and confirmed that the behavior is specifically related to single-digit hour values. The issue persists on the latest AMA version.

We would like to understand whether:

  • This behavior is expected for the M/D/YYYY HH:MM:SS AM/PM timestamp format.
  • This is a known issue.
  • There is a supported workaround that would allow AMA to correctly process timestamps with single-digit hour values.
Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.


Answer accepted by question author

Bharath Y P 10,180 Reputation points Microsoft External Staff Moderator
2026-06-10T09:59:46.4233333+00:00

Hello Minas Stam, you are using Azure Monitor Agent (AMA) custom text log ingestion with timestamp-based multiline detection, and observing that Works: 01:55:00 PM (zero‑padded hour) but Fails: 1:55:00 PM (single-digit hour). This leads to Incorrect multiline splitting/merging. Log records being grouped incorrectly.

While the format M/D/YYYY HH:MM:SS AM/PM is listed as supported, the implementation of AMA parsing is strict and pattern-sensitive. Based on the version notes Earlier AMA versions had parsing inconsistencies for this format, especially affecting multiline detection.

AMA uses strict timestamp pattern matching (internally regex-based) for multiline boundary detection. The mismatch occurs because the parser expects a fixed-width hour (HH) rather than a flexible (H) when interpreting M/D/YYYY HH:MM:SS AM/PM. As a result 01:55:00 PM > matches expected pattern, 1:55:00 PM > does not match strictly, causing new record NOT detected and Lines appended or merged incorrectly.

  • You can try with normalize log format, Modify log generation to enforce zero-padded hours 01:55:00 PM Supported reliably. This is the most stable and officially aligned approach Guarantees correct multiline parsing
  • Use alternative timestamp format, If feasible, switch to a format with better parsing stability YYYY-MM-DD HH:MM:SS (preferred in enterprise scenarios). ISO 8601 (yyyy-MM-ddTHH:mm:ssK) These formats are more consistently handled by AMA
  • Upgrade AMA agent, ensure you are on a recent AMA version (>= May 2025 builds). The release notes confirm fixes for multiline timestamp parsing issues in M/D/YYYY HH:MM:SS AM/PM, However even with fixes, strict pattern matching may still require zero-padding.

This is not purely a configuration issue, but a known limitation/behavior of AMA timestamp parsing, especially in older versions. The most reliable fix is to enforce zero-padded hours or migrate to a standardized timestamp format (ISO / 24‑hour).

Hope this helps! thank you

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.