Hi, more info... I am using Splunk Enterprise Free. When doing the import and creating a new sourceType, in the section for Timestamps >> Advanced >> time stamp prefix, I did try entering the data field "event_time" in there. Although it did change the date/time shown in the Time column, I could not get it to match the actual value in the event_time. I am guessing that Splunk cannot process the format of the time value of event_time in the data, that being time shown in this format: 2021-06-21T10:52:56.462000. So if this is the case, then it seems I would need to figure out how to convert that to "strptime", maybe with a RegEx in the ? Maybe this is on track, or not? I am reading through the docs on Timestamp Recognition to see if I can figure this out. Maybe I am to use the props.conf, set the [<spec>] to source::<source>, where <source> is event_time, the field pulled from the data? I am not sure how to get Splunk to recognize the time in the event_time field though, which is like this: "event_time: 2021-06-21T10:52:56.462000" Thanks, Shane
... View more