You could edit the props.conf's following configs to handle that:
These can be edited under $SPLUNKHOME/etc/system/local OR in an app under $SPLUNKHOME/etc/apps depending on your setup.
Hi daniel333, You can use TIME_PREFIX props setting to tell splunk the pattern that precedes the timestamp, i.e.
TIME_PREFIX = date="\[
You can then set the MAXTIMESTAMPLOOKAHEAD to match the expected number of characters, i.e.
MAX_TIMESTAMP_LOOKAHEAD = 27
This should be effective to cause splunk to correctly assign a time to the event, but if not you can use TIME_FORMAT and work out the strftime setting that matches the timestamp.
Please let me know if this answers your question!
TIME_PREFIX = date="\[ TIME_FORMAT = %d/%b/%Y:%H:%M:%s %z MAX_TIMESTAMP_LOOKAHEAD = 26