Hi astalv, I don't think you can extract the timestamps info correctly from both your source file and raw data at index time. Of course, you can use eval at search time to achieve this, as you already know. You can overwrite event metadata at parsing time for specific sourcetypes, but this applies only to these metadata: host, source, sourcetype. An example below: props.conf [source::udp:514] TRANSFORMS = custom_sourcetyper transforms.conf [custom_sourcetyper] SOURCE_KEY = _raw REGEX = Custom$ DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::custom_log Hope it helps. Thanks! Hunter ... View more

Thank you! This worked fine. The resource field is cleand up, and the pipes removed. And the URl still works if needed for some reason. ... View more