It might be the \s+ at the beginning tripping up the regex.

You might also consider adding a TIME_PREFIX to give Splunk a leg up on guessing the proper format for your events.

Another possibility is that your time stamp string might be past the default "how far ahead do I look?" limit. That default is 150 characters, and is set by MAX_TIMESTAMP_LOOKAHEAD in props.conf.

Finally, if the event stream for this event contains other events that are in say, standard syslog format, with a timestamp at the leading position in the line, Splunk might "home in" on that timestamp format, preferring it over the one you've specified here. In general, you should try to group events with similar timestamp formats into like inputs. That is, if events A B and C all go into the same file monitored by inputs.conf, and only type C has the "different" timestamps, Splunk choose the format of events A and B, but be confused by C. You might have to resort to a search-time extraction, if this is the case.

I reformatted your question a bit, but I'm unsure what you actually put in your regex and what you entered here to have the site display it correctly. Code blocks are indented with 4 spaces. Please have a look and edit it so it looks like it does in your events and conf files.