I discovered our logs were split between events. I notice that Splunk split the event ANY date and time it found in our logs. See below. <ResponseEndTimestamp>11/05/2020 09:53:33</ResponseEndTimestamp> </RCExtResponse> 2020-11-05 08:53:36,916 [http-nio-8080-exec-4] [198.153.9.206||1573FF21ECE6B4E4DA213F08E73230B3|] INFO c.v.c.d.DrFirstGatewayService - Retrived patient object(Patient:...) .... 2020-11-05 08:53:37,110 [http-nio-8080-exec-4] should have started a new event. To fix, I wanted to defined a BREAK_ONLY_BEFORE in the Source Type. Unfortunately, the Web UI keeps changing values when I save. See before and after. Before Before After After Has anyone encountered this? Any help would be greatly appreciated. Josh
... View more