Posting on behalf of splunkIT: Ayn: I think you may be correct about the timestamp issue. This are some of the DateParserVerbose errors from the intermediate forwarder: 10-22-2012 07:29:53.181 +0300 WARN DateParserVerbose - Time parsed (Mon Oct 22 00:45:00 2012) is too far away from the previous event's time (Mon Oct 22 22:10:12 2012) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive. Why is the timestamp parsing occurring at the intermediate forwarder, and not at the indexer? I have the props.conf stanzas for all these sourcetypes on the indexer. Did I mis-configure something here? ... View more