Hi daniel333, You can use TIME_PREFIX props setting to tell splunk the pattern that precedes the timestamp, i.e.
TIME_PREFIX = date="\[
You can then set the MAX_TIMESTAMP_LOOKAHEAD to match the expected number of characters, i.e.
MAX_TIMESTAMP_LOOKAHEAD = 27
This should be effective to cause splunk to correctly assign a time to the event, but if not you can use TIME_FORMAT and work out the strftime setting that matches the timestamp.
Please let me know if this answers your question!
You could edit the props.conf's following configs to handle that:
These can be edited under $SPLUNK_HOME/etc/system/local OR in an app under $SPLUNK_HOME/etc/apps depending on your setup.