Hi @ITWhisperer , 

here is the sample output events for one TransactionID.

There is no start time in the event - where do you expect this to be coming from?

Hi @ITWhisperer , 

We are logging from TIBCO BW server to splunk, below is the BW server log, you can see StartTime filed. 

Whereas StartTime filed is not appear in Splunk UI.

So, it looks like everything before the <EndTime> has been stripped presumably when the event was ingested. Do you have access to the relevant config, as you probably need to check that?

Yes , I do have access to check configuration files on server, May I know which configurations I need to check.

Thanks!!

props and transforms for the source type in question.

Hi @ITWhisperer 

Path : //splunkforwarder/etc/system/local

cat props.conf

[eai:tibco:webservices6.5]
MAX_TIMESTAMP_LOOKAHEAD=25
NO_BINARY_CHECK=1
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX=^
TRUNCATE = 50000

Nothing has configured in "transforms.conf"

When you shared the "sample output events for one TransactionID" was that the _raw field?

Yes, I have shared the output of below query

index="eai_prod" sourcetype="eai:tibco:webservices6.5" source="*appnodes/ShipmentOrderCreate*" ":ProcessExecutionStats>" | rex field=_raw "<CorrelationId>(?P<CorrelationId>.*?)<" | rex field=_raw "<CustomerNumber>(?P<CustomerNumber>.*?)<" | rex field=_raw "<TransactionStatus>(?P<TransactionStatus>.*?)<" | rex field=_raw "<JobId>(?P<JobId>.*?)<" | rex field=_raw "<CountryCode>(?P<CountryCode>.*?)<" | rex field=_raw "<StartTime>(?P<StartTime>.*?)<" | rex field=_raw "<EndTime>(?P<EndTime>.*?)<" | rex field=_raw "<ExecutionTimeInMs>(?P<ExecutionTimeInMs>.*?)<" | rename CorrelationId AS TransactionID CustomerNumber AS CustomerNumber TransactionStatus AS Status JobId AS JobId CountryCode AS CountryCode StartTime AS StartTime EndTime AS EndTime ExecutionTimeInMs AS ExecutionTime(ms) | search TransactionID=PDC7_689081105_2181_ORD

Team,

Any help on below issue please?