I believe I see three issues here.
Is the TIME_PREFIX is correct? I do not get a match in the UI when using yours. Try changing /"Message":"/ to "Message":"
Your TIME_FORMAT hour setting appears incorrect. You are using the 24-hour format and not 12-hour as indicated by the trailing 'PM'.
Your TIME_FORMAT year setting appears incorrect. %y is the 2-digit year, so the %Y variable is needed.
@sundareshr The MAX_TIMESTAMP_LOOKAHEAD starts after the TIME_PREFIX if specified and defaults to 150 characters. Since he specified it and the timestamp immediately follows the prefix, the above should work.
I hope this helps.
Example of it working is below.
Josef
... View more