I have the following event being sent from a Universal Forwarder (UF) syslog server to a standalone instance of Splunk:

4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityc5e81075-f14f-11e3-9b1e-123478563412/cd4c5993-11b0-11e4-92a9-123478563412134.82.79.10S-1-5-21-2136110353-913448559-1712093940-13349falseBUCKNELLleisnhth-aSecurityFile00000000000466;00;015ce358;514e6b60(netspace_departments);/isr/public/www2/bu_only/AICT/images/oversize/IRM195.jpg%%4423 %%1538 2080Read Attributes; Read ACL;  

The data is obviously in an XML format. I created a subdirectory within $SPLUNK_HOME/etc/deployment-apps/IA-naaudit and in the default dir I have an inputs.conf:

[monitor:///var/log/rsyslogs/Netapp/audit_svm_netspace_last.xml] 
index = netapp 
sourcetype = audit 
_TCP_ROUTING = dev_splunk 

and an outputs.conf

[tcpout:dev_splunk] 
server = sptest:9996 

I manually replicated these dirs and files on the UF in /opt/splunkforwarder/etc/apps/

I am now receiving the event data shown above.

On the standalone instance I created the dir $SPLUNK_HOME/etc/deployment-apps/TA-naaudit and in the local dir I created
props.conf:

[netapp] 
KV_MODE = xml 
TIME_PREFIX = \ntscripts\< 
DEST_KEY = queue 
FORMAT = nullQueue 

Here is my problem: from the event you can see that it should have the timestamp "2017-03-27T16:18:55.218021000Z". When I do a search on index=netapp this event (along with a gazillion others) it gets the time stamp "3/27/17 12:40:40.000 PM" which is incorrect.

Also, I'm trying to drop the events with the user "ntscripts" but they show up in the search as well.

Can you tell me where I'm going wrong?

Thanks,
Mike