Did it work? ... View more

@cpetterborg, thanks for reminding of sed, following replace should also do the trick | makeresults | eval Time="Jun 28 11:50:23 2017" | eval Time=replace(Time,"(\w{3}\s\d{2})(\s\d{2}:\d{2}:\d{2})(\s\d{4})","\1\3\2") Basically June 28 is extracted as 1st Capturing group 11:50:23 as 2nd and 2017 as 3rd. Then replace is used to format them in correct sequence i.e. 1, 3, 2. Output field will remain String Date. Refer to the documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#Basic_example_4 ... View more

How come? transforms.conf can be created/modified in the UI under settings - fields - field transformation Read this https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-props-transforms-etc-stuff-within-splunk-cloud.html which explains how the options of props and transforms maps to the UI. cheers, MuS ... View more

You need to show us the entire raw event. ... View more