As I mentioned in a comment above, SEDCMD is evaluated after timestamp extraction, so you can't fix this via transform. You can, however, explicitly tell Splunk what the time format is. (Details on How Indexing Works)
props.conf
[your_sourcetype]
TIME_PREFIX=^
TIME_FORMAT=%m/%d/%I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD=17
This tells Splunk that the timestamp comes at the beginning of the event (TIME_PREFIX), it has the above strftime format, and it extends, at most, 17 characters into the event. Everything it needs to know to get the timestamp right.
This may still not work, as without a year it's not a valid timestamp, so Splunk may still do funny things with it. The real fix is to get your developers to log in a non-ridiculous format. (What Java devs have against ISO standard timestamps, I'll never figure out)
I would also set a couple other things:
[your_sourcetype]
TIME_PREFIX=^
TIME_FORMAT=%m/%d/%I:%M:%S %p
MAX_TIMESTAMP_LOOKAHEAD=17
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)(?:\d{2}\/\d{2}\/\d{2}:\d{2}:\d{2})
TRUNCATE=999999
This further tells Splunk how to handle the incoming events. Specifically, we're telling Splunk where events begin and end explicitly, so it doesn't have to figure it out. (You'll appreciate this when it stops Splunk from doing bad things with stacktraces)
Ideally, you should be setting all of these for every new sourcetype you ingest whenever possible.
... View more