I'm trying to extract timestamps for log events that I am forwarding to Splunk as json log files, and instead of getting the date correctly from inside the json, Splunk seems to get the timestamp from the log file's Date Modified. (that's the only datetime that matches, isn't that weird?)

The json is properly formatted and validated, and is serialised to string using the Json.NET JsonConvert, so my json around the datetime looks like this:

"Request": {
  "TimestampUtc": "2015-11-09T14:33:53.3239117Z",
  "Headers": {

I set sourcetype=_json for my UniversalForwarder in the inputs.conf file for Splunk_TA_windows, monitoring a directory on my hard drive. Logfile names have the format service.log.json, and the TimestampUtc property is on the 10th line, about 140 characters in inside the object.

On the Splunk server, the default props.conf has

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
category = Structured

and the local props.conf has

[_json]
INDEXED_EXTRACTIONS = json
pulldown_type = true
KV_MODE = none
AUTO_KV_JSON = false
#TIMESTAMP_FIELDS = TimestampUtc
TIME_PREFIX=/"TimestampUtc": "/
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
#TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 27
category = Structured

Can someone point me to the right configuration for this extraction? I have tried a multitude of combinations but without success.