Thanks a lot MuS 🙂 I played around already in that area. And timestamp recognition says "%s Epoch (10 digits)" and "%9N = nanoseconds". That makes 19 digits for me and I have only 17. But it works as you said 😄 ... View more

I read a lot of stuff in the Splunk documentation. As far as I understood it the file "/etc/datetime.xml" is responsible to for recognition of a timestamp. This file contains the following stanza: <!-- update regex before '2017' --> <text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[012345]|9)\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text> I'm no regexp specialist but it looks like it should be positive with the above mentioned number. Then why does the import not work like expected? ... View more