The code I provided works, but if I add :, it doesnt send event. I can replace colons, but I wonder why It doesn't work. Splunk can read events with colons, so that's weird. ... View more

Hello @kairat, I am confused. In the head of the post, you stated that with that code, you could not get the event added to Splunk, and now you say it works. Anyway, the colons you removed changed the format of the date of the event, and the result format seems quite strange. Can you please share the way you extract the date/time info for the sourcetype? ... View more

The problem is about ": : : ". How to fix it???? ... View more