Hello,

We have log which have 5 different timestamp. I am trying to use custom datetime.xml created using splunk train dates cmd but it is not working.

Different Timestamps

2018-01-05_18:15:42.208
2018-01-05 18:15:42
Jan 5, 2018 6:15:52 PM
<05-Jan-2018 6:15:58,916 EST PM>

custom datetime.xml

    <text><![CDATA[\<(\w+)\s(\d+),\s(\d+)]]></text>


    <text><![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)\s(\w+)]]></text>


    <text><![CDATA[(\d+)-(\d+)-(\d+)]]></text>


    <text><![CDATA[-\d+-\d+_(\d+):(\d+):(\d+)\.(\d+)]]></text>



    <text><![CDATA[(\d+)-(\d+)-(\d+)]]></text>


    <text><![CDATA[-\d+-\d+\s(\d+):(\d+):(\d+)]]></text>



    <text><![CDATA[(\w+)\s(\d+),\s(\d+)]]></text>


    <text><![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)]]></text>



    <text><![CDATA[\<(\d+)-(\w+)-(\d+)]]></text>


    <text><![CDATA[\w-\d+\s(\d+):(\d+):(\d+),\d+\s(\w+)\s(\w+)]]></text>

props.conf
TZ_ALIAS=EST=GMT+11
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
DATETIME_CONFIG = /opt/splunk/etc/system/local/datetime.xml
LINE_BREAKER=([\r\n]+)(?:(?:<(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2})\s(\w{3})>)|(?:(\d{4})-(\d{2})-(\d{2})_(\d{2}):(\d{2}):(\d{2}).(\d{3}))|(?:(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}))|(?:(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2}))|(?:<(\d{1,2})-(\w{3})-(\d{4})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})\s(\w{3})\s(\w{2})>))

When testing using above configuration using Add Data - Splunk is not showing any data and reporting "No results found. Please change source type, adjust source type settings, or check your source file."