Tried, no difference unfortunately, thanks for your suggestions though.
To see if the props.conf was being read, I then removed the LINE_BREAKER and SHOULD_LINEMERGE entry, this had the expected affect of merging lines, so the props.conf entry is being used.
I then removed all the TIME entries, so Splunk will go back to AUTO, no difference. The timestartpos is always 0 and timeendpos is always 8?? Don't understabnd why it thinks this is the case!
04/05/17 20:58:27 OUT:[(1)22RET_YSCO (2)(28)38 VSNG(28)OK(28)69000359(28)10523189(28)H(28)NGUYEN(28)(3)(4)]
time - 2017-05-04T00:00:00.000+10:00
date_mday - 4
date_month - may
date_wday - thursday
date_year - 2017
date_zone - local
timeendpos - 8
timestartpos - 0
Default
host - gis-syco-01
index - crown
punct - //:::[()____()()()()()()()()()()]
source - /sysC/logs/simphony/MICpst.socket
sourcetype - flat_file
splunk_server - MIT-SPLUNK-T1
... View more