Is this what you're asking for? index=awesome sourcetype=woah rename _cd as unique_id | search unique_id=9320:49207386 ... View more

I think your TIME_PREFIX is wrong. And my real question is this: what happens if you leave all that out and just let Splunk figure it out? This is a pretty common format, and I think Splunk might not need all of this. I might go as far as this in props.conf (on the indexer): MAX_TIMESTAMP_LOOKAHEAD=25 SHOULD_LINEMERGE=false Because that makes Splunk a bit more efficient, not because it is really necessary. But if Splunk can't figure out the timestamp on its own, you could add: TIME_FORMAT=%d%t%b%t%H:%M:%S TIME_PREFIX=\[\d+]\s ... View more