Ultimately the problem turned out to be caused by a previously undiscovered props.conf file, buried within an app on an upstream heavy forwarder, complete with conflicting and over-riding configurations.
The props file on the heavy forwarder contained (among other things):
TZ=US/Pacific
which is problematic for my purpose. Pacific is my local time zone, but this does not correspond to the time fields within the forwarded events (all in UTC). So the solution was to alter the props.conf file in the app on the heavy forwarder so we have:
TZ=UTC
This causes the UTC heavy forwarder data to be correctly indexed in my local Pacific time zone. Problem solved.
As for the other issue (wrong field used as the basis of index-time extraction), this too was caused by a conflicting setting in the props.conf file on the heavy forwarder. Again, fixed in the heavy forwarder's props.conf file.
I thank MuS for setting me on the right track for a solution, and especially for the regex structure suggestion which was correct:
TIME_PREFIX=LAST_VM_SCANNED_DATE="
... View more