If I am reading it correctly; the problem is not multiple timestamp formats in one source, it is improper line-breaking based where rows are being merged together.

It seems to be a combination of the line breaks and the datatime XML config. I've discovered the log has three different timestamp formats. Examples are:

<Aug 10, 2017 1:50:23 PM EDT>
[2017-08-10 13:50:23,105]
13:50:23.251

My props.conf for this is:

[weblogic_stdout]
DATETIME_CONFIG = /etc/system/weblogic_stdout.xml
LINE_BREAKER = ([\r\n]+)(\[\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}\]|\<\w{3}\s\d{1,2}\,\s\d{4}\s\d{1,2}:\d{2}:\d{2}\s[AP]M\s\w{3,}\>|\d{2}:\d{2}:\d{2}\.\d{3}\s)
SHOULD_LINEMERGE = false

And the following for the datetime defines:

(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}),(\d{3})


(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s([AP]M)\s(\w{3,})


(\d{2}):(\d{2}):(\d{2}).(\d{3})>

This is working correctly for the first two timestamp formats, breaking the events at the desired timestamps, and picking up the correct date/time for each event in the search results. The third timestamp format, however, inherits the timestamp from the preceding event in the search results. Can anyone shed light on what's wrong with my "_weblogic_stdout_timestamp3" extract specification or the regex string? I'm assuming it's there, but it may be how the information is getting passed along via LINE_BREAKER.

Sorry about my datetime defines. I used a Code Sample, and it seems to have eaten the surrounding XML. Fortunately I noticed the trailing > on the third match string, and it now properly extracts the timestamp for those events as well.

My thanks to the as-always helpful Splunk community!

And here is a link that woodcock has provided recently about this:

https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem