i have to define in props.conf right , anything in transforms.conf?

Yes you define this in props.conf, make sure to replace my_sourcetype with your sourcetype name.. After you set this you have to restart splunkd

Did this solve your question? If so, can you accept it?

@skoelpin No 😞

If your just looking to extract the bold portion then the extraction will look like this

(?<NAME>\w+\s\d+\s+\d+:\d+:\d+)

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 17
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER = (?\w+\s\d+\s+\d+:\d+:\d+)
SHOULD_LINEMERGE = False
TRUNCATE = 10000

Should i try this ?

Is cisco:asa your sourcetype? If so then yes

Are you just trying to extract the bold part out or do you want it to timestamp correctly based off the second timestamp?

Can you elaborate more on what the issue is? The props.conf entry I provided you will work, I tested it!

Not working . Issue is if i run for real time or last 15 minutes Splunk default props works fine however if i search let's say 5AM logs then it picks date Aug 22 and time from first which is 05:10:50.
It should pick time and date as Aug 23 05:10:50

Aug 23 05:10:50 1.1.1.1 Aug 22 2017 19:10:51: %ASA-6-302014: Teardown TCP connection 418825708 for inside:1.1.1.1/88 to VMWare-Internal-DMZ:10.1.1.1/12345 duration 0:00:00 bytes 1880 TCP FINs.

Help?

This is because you didn't specify the MAX_TIMESTAMP_LOOKAHEAD attribute. This defaults to 150 characters relative to your TIME_PREFIX attribute. So Splunk may be getting confused since you have 2 timestamps in the first 150 characters. Look at my answer below to see the full base configs you should set in props.conf