The solution below worked for our organization: In the props.conf file located in [SPLUNK_HOME]\etc\apps\TA-MS_O365_Reporting\default, comment out the following: [ms:o365:reporting:messagetrace] MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERGE = 0 *#TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z TIME_PREFIX = "Received": "* category = Splunk App Add-on Builder pulldown_type = 1 Create a new props.conf in [SPLUNK_HOME]\etc\apps\TA-MS_O365_Reporting\local and add the following: [ms:o365:reporting:messagetrace] TZ = UTC MAX_TIMESTAMP_LOOKAHEAD = 300 TIME_PREFIX = "Received":\s*" Thanks! Hope this solution helps. ... View more

Suggest use different stanzas with source::.... to do line break for each different type logs. E.g. for each source: [source::...source1...] BREAK_ONLY_BEFORE_DATE = true DATETIME_CONFIG = none TIME_FORMAT = XXXX // set as log shows ... ... View more

SERVICESTARTTYPE=manual doesn't seem to work with the x64 forwarder msi 6.6.4 or 7.0.1 on Windows 10. From the msiexec log: MSI (s) (88:F0) [09:41:47:549]: Command Line: RECEIVING_INDEXER=10.2.1.100:9997 WINEVENTLOG_SEC_ENABLE=1 SERVICESTARTTYPE=manual LAUNCHSPLUNK=0 AGREETOLICENSE=Yes CURRENTDIRECTORY=C:\WINDOWS\system32 CLIENTUILEVEL=3 CLIENTPROCESSID=3900 but InstallSplunkService: Info: Execute string: cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd splunkd install --startup=auto >> "C:\Users\xxx\AppData\Local\Temp\splunk.log" 2>&1" ... View more

yes, The java is in the path so that I can run it any directory. ... View more