Thank you for providing a sample event.

Splunk should be able to interpret the time stamp on its own, but I would strongly recommend that you use TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD to scope the time stamp extraction to the location in your events where it can be found :

[host::rok*]
TIME_PREFIX = ^dst
MAX_TIMESTAMP_LOOKAHEAD = 24

This is very important because you do not want Splunk to pick up a string that may look like a year somewhere else in the event, which may result in a wrong time stamp.

TIME_FORMAT is optional here, but you can specify it if desired to speed up the time stamp extraction process.

Make sure to refer to props.conf.spec for a full description of these configuration keys.

UPDATE: Since you seem to have line-breaking issues, I would suggest that you add the following configuration keys to explicitly declare how your source file should be split into events:

LINE_BREAKER = ([\r\n]+)dst\s+
SHOULD_LINEMERGE = false

This is assuming that all of your events begin with the string "dst ", and that no line that is not an event begins with that string.

Sure, here is a full line of an event:
dst Thu Jan 26 07:45:12 EST 10.10.1.2:vmwsspapp02_prd_data01 rok:vmwsspapp02_prd_data01 Start

I agree with @gkanapathy, we cannot really recommend a configuration without a sample event to base it on.

why do you have TIME_PREFIX = dst? What does the actual event line look like? Does it actually contain that string immediately before the timestamp?

You appear to be missing the year match in your conf file. The pattern to match your time-stamp should be:

%a %b %d %Y %H:%M:%S %Z