That's not how timestamp extraction works. Without knowing your data format, I'd guess this might work:
[your_sourcetype]
TIME_PREFIX = ^([^\t\r\n]*\t){3}
TIME_FORMAT = %Y-%m-%d\t%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = GMT
Note, I didn't test if the tab between date and time needs to be a tab character or the baslash-tee of regex.
The basic Idea is to tell Splunk where to start looking, what to look for, and for how far to keep looking.
EXTRACT-foo is search-time field extraction, entirely unrelated to finding the timestamp at index time.
... View more