Hello all,

I am currently running into issues with netscaler logs with the following format: 

2021-01-28T06:14:09.884506+08:00 10.10.10.10 01/27/2021:14:14:14 hostname

I have used the following props to successfully set time format to the second time zone on other heavy forwarders but have been unable to successfully apply it on this heavy forwarder: 

TIME_FORMAT = ^\S\s+\S+\s+
TIME_PREFIX = %m/%d/%Y:%H:%M:%S

I have also tried using a transforms to strip the original header and used the following configs with those logs:

999.999.999.999 01/27/2021:14:14:14 hostname

TIME_FORMAT = ^\S\s+
TIME_PREFIX = %m/%d/%Y:%H:%M:%S

When going to GUI of HF, and trying to index this file once Splunk says that it fails to parse timestamp and is reverting to modtime of file. I am not sure where the error could be as I copied a working config from a different forwarder. I have also tried more specific regex using the following:

TIME_FORMAT = ^\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d+\+\d+\:\d+\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+

and still receive an error. Both servers are running 8.0.3 and the file is being written to disk on the forwarder with props applied. rewritten the props multiple times and removed all spaces to ensure something wasn't being added by default. When I load the citrix_netscaler sourcetype in getting data in the regex shows up with an error. If I cut and repaste it matches time zone successfully. After saving the errors come backs up. Any advice on this would be appreciated.