Good morning medunmeyer. That is not working either. More info below. Any help would be appreciated. Thanks. My props file is below. I've tried setting TZ = UTC, America/Chicago, US/Central to no avail. I have also removed the %Z from the Time_Format line thinking it may essentially disable the TZ statement. The 'Received' data from the trace looks like this: Received: 2018-10-24T09:33:56.8119313 Splunk Query time looks like this: 10/24/18 9:33:56.000 AM Should be: 10/24/18 4:33:56.000 AM [ms:o365:reporting:messagetrace] MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERGE = 0 TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z TZ = UTC TIME_PREFIX = "Received": " category = Splunk App Add-on Builder pulldown_type = 1 EVAL-vendor_product = Microsoft Office 365 FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_1 = RecipientAddress AS recipient FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_10 = SenderAddress AS orig_src FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_11 = SenderAddress AS src_user FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_12 = ToIP AS dest FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_13 = FromIP AS src FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_4 = MessageId AS message_id FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_5 = Subject AS subject FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_6 = Size AS size FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_7 = MessageTraceId AS internal_message_id FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_8 = Status AS action FIELDALIAS-aob_gen_ms_o365_reporting_messagetrace_alias_9 = RecipientAddress AS orig_recipient [ms:o365:reporting:mailtraffic] SHOULD_LINEMERGE = 0 category = Splunk App Add-on Builder pulldown_type = 1 ... View more

Thanks all - I ended up expanding the /opt partition - thanks lguinn you. ... View more