Hi, I have used props.conf and transforms.conf to configure two different sourcetypes coming to Splunk from udp:514. And when I tried to set timestamp extraction for these two sourcetypes I can't get it to work. Anything I overlooked? Thanks.

Splunk 4.1.4 installed on CentOS 5.2 32bit

props.conf -

[source::udp:514]
TRANSFORMS-UDP514Sourcetyping = SLB_AlteonOS,Juniper_VPN

[SLB_AlteonOS]
TIME_PREFIX = \w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 49
priority = 101

[Juniper_VPN]
TIME_PREFIX = Juniper:\s+
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 62
priority = 101

transforms.conf -

[SLB_AlteonOS]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+([\w\d-]+\s)?\w+\s+AlteonOS\s+
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::SLB_AlteonOS

[Juniper_VPN]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+10\.10\.8\.2\s
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::Juniper_VPN