Hi All,

I've deployed below props to splunk SHC and IDX clusters but fields are not extracted in splunk. There are WARN messages in splunkd logs as follows DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (50) characters of event. Defaulting to timestamp of previous event (Thu Jan 21 14:02:33 2016). 

Can you please help and let me know if i need to make any changes?

[props]

TIME_PREFIX=^

TIME_FORMAT=%d-%b-%Y %I.%M.%S.%6Q %p

MAX_TIMESTAMP_LOOKAHEAD=50

SHOULD_LINEMERGE=false

NO_BINARY_CHECK=true

LINE_BREAKER=([\r\n])\d+\-\w+\-\d+\s+\d+\.\d+\.\d+\.\d+\s+\w+\s

EXTRACT-field1=regex

EXTRACT-field2=regex

Sample events:

29-APR-21 09.44.57.234427 AM ,TEST , 11,Login ,2098856,4

29-APR-21 09.44.56.234428 AM ,TEST , 12,Login ,2098856,4