i think perhaps i may have done this wrong then. 

my inputs.conf is as follows:

[fschange:E:\Logs\*]
pollPeriod = 60
signedaudit=false
fullEvent=true
sendEventMaxSize=-1

index = ccure_sitedata
sourcetype = ccure_site_journal

looking at sourcetypes in my cloud instance, the above mentioned sourcetype does have a TIME_FORMAT flag set. 

as part of the app i have also done a props.conf file but presumably from what you have said, that is incorrect? (im using splunk cloud so presumably i cant edit the props file)

props.conf

TIME_FORMAT = %d/%m/%Y %H:%M:%S

i am fairly new at this so please forgive me for the formatting of these. 

i have been doing some more testing and structured the inputs.conf file as per splunk docs but the input is completely ignoring the fact that i'm telling it to use a particular source type and as such ignoring the format behind that. 

from what i can tell its only marking the first event (or 2) with the required sourcetype and then stating xml as the sourcetype for the rest when there actually isn't a sourcetype named that. 

what am i doing wrong? i've followed the documentation

I presume you are running this from a UF or HF - do you have access to the forwarder to run a btool?
I would start by doing btool on the input to verify the sourcetype configuration isn't getting clobbered there, then I would also btool the props of the sourcetype to see if the time format is correct.

Directions: https://docs.splunk.com/Documentation/Splunk/8.1.3/Troubleshooting/Usebtooltotroubleshootconfigurati...

i have tried to use the btool and its not jumping out with any errors or anything. to be fair im not 100% im doing it right. 

I've never experienced the sourcetype changing midstream like that.  Do you have any transforms installed that may be setting the sourcetype based on the data it sees?

i dont beleive i have any transforms. certainly not any i've put in myself.

I have a props.conf that contains the time format as stated above. other than that, nothing. 

any ideas anyone?

no one?