Hi @b17gunnr  The Cisco Firepower app in Splunkbase doesnt have a props.conf to tell Splunk how to process timestamps so you will need to create a props.conf in the appropriate place and deploy out as per your other apps to the server that the data is parsed on (either Heavy Forwarder or Indexer(s)) - this will tell Splunk to use the receipt time: Set DATETIME_CONFIG = NONE to prevent the timestamp processor from running. When timestamp processing is off, Splunk Enterprise does not look at the text of the event for the timestamp and instead uses the event time of receipt, the time the event arrives through its input. For file-based inputs, the event timestamp is taken from from the modification time of the input file. Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as Splunk Enterprise indexes it. For more info check out https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-timestamps/configure-timestamp-recognition#:~:text=Set%20DATETIME_CONFIG%20%3D%20NONE,Enterprise%20indexes%20it. # props.conf - Update sourcetypes accordingly [cisco:estreamer:log] DATETIME_CONFIG = NONE [cisco:estreamer:status] DATETIME_CONFIG = NONE [cisco:estreamer:data] DATETIME_CONFIG = NONE 🌟 Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing ... View more

Try changing the timezone in your time format TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z ("Z" as you have used it is just a character constant - which is used n some date formats) Time variables  ... View more

Unfortunately neither of these were the cause. In the end I believe we're going to set up an intermediate VM with a UF to catch the logs from the Firepowers on udp514. Clunky but it appears to be the only option. I appreciate the help. ... View more