I am onboarding data from trend micro portable security via HEC. As per the documentation of trend micro it needs 5 indexes to be created at splunk end namely scanned log,detectedlog,assetinfo,updateinfo,application info . We have created these indexes on the HF and used the following transforms to send it to a single index in the indexers.

The transforms used is

[trendmicro_routing]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = app_trendmicro

also we have created different sourcetypes for each of the 5 categories of logs (scanned log,detectedlog,assetinfo,updateinfo,application info ).

The transforms stanzas used are

[tmps_scannedlogs]
REGEX = scannedFiles\=
FORMAT = sourcetype::tmps_scannedlogs
DEST_KEY = MetaData:Sourcetype

[tmps_detectedlogs]
REGEX = threatType\=
FORMAT = sourcetype::tmps_detectedlogs
DEST_KEY = MetaData:Sourcetype

[tmps_assetinfo]
REGEX = physicalMemory\=
FORMAT = sourcetype::tmps_assetinfo
DEST_KEY = MetaData:Sourcetype

[tmps_applicationinfo]
REGEX = installPath\=
FORMAT = sourcetype::tmps_applicationinfo
DEST_KEY = MetaData:Sourcetype

[tmps_updateinfo]
REGEX = ^(?!.*(scannedFiles|threatType|physicalMemory|installPath)).*
FORMAT = sourcetype::tmps_updateinfo
DEST_KEY = MetaData:Sourcetype

Now the scanned and detected logs have a different time format which is like ->

startTime=Jun 13 2022 14:29:4

Asset info logs have a different  time format like ->

systemDateAndTime=16062022 12:47:26

and rest of the log types (updateinfo,applicatioinfo) does not have a timestamp.

And what i understand is we can not apply timestamp settings after routing it to different sourcetypes.

How to make splunk  parse different timeformat and apply proper settings???