I have no idea what I missing here, just no idea and I have to admit, its killing me inside, I have been stuck on this for 2 weeks!
for some random reason, Splunk decides to index all my timestamps in Australian Format (Which is what I want!), but decides to index a small number of them in American format (even though they're from the same Log!).
Here is a copy of the sourcetype stanza in props.conf:
TIME_FORMAT = %d/%m/%Y %H:%M:%S.%3N
TZ = Australia/Victoria
TIME_PREFIX = ^
And here is a copy of log Im ingesting:
What Splunk Gets:05/01/2013 11:19:37.222
What the log really states:[01/05/2013 11:19:37.222 INFO ] - [AuditLogger] - SessionId=#####; UserId=#####; Event=#####; MSISDN=#######
And please note, it only does this for a small number of events like the above, the other timestamps are extracted in the correct format!, all the other events look exactly like the one I pasted above, so I have no idea WHAT TO DO NEXT!
Please all I want is for my logs to be indexed in Australian format, Plz