Just change your props.conf stanza to [source::/root/sample.log] TRANSFORMS-extracted_data = extract-log-type extract-log-date TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 20 SHOULD_LINEMERGE = FALSE MAX_DAYS_AGO = 10951 TIME_PREFIX = ^ When you add TIME_PREFIX = ^ to your props.conf will make splunk to try looking for Timestamp from the first character of any new event. and by adding MAX_DAYS_AGO to props.conf will specifies the maximum number of days in the past, from the current date, that an extracted date can be valid. By default, the value of MAX_DAYS_AGO is 2000 days i.e. 5.479452 Years ... View more