Hi, I can't get Splunk to use  the content of timestamp_start as _time. This is an example of log: canale=<value>;an=<value>;num_fattura=<value>;data_emissione=2022-01-01;timestamp_start=2022-03-02 11:22:00;timestamp_end=2022-03-02 11:22:02;total_time=1.56035;http_code=200;purl=<value> and this is what I get as _time 2022-01-01 11:22:00 I found a configuration that should work so I edited the props.conf file on the deployment server but even if I can see the "new" props.conf on the forwarder and on the deployment server, new indexed files still have the wrong timestamp. [my_sourcetype] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX=.*\d*-\d*-\d*\;timestamp_start= MAX_TIMESTAMP_LOOKAHEAD=19 After editing the props.conf, I reloaded the deployment server (splunk reload deploy-server) and then I restarted Splunk on the deployment server and on the forwarder. My Splunk version is 6.5.1. Thanks for any help you may be able to give me! ... View more