SplunkMiscMisc ALWAYS put the timestamp at the beginning whenever possible for Splunk input data, as Splunk stops inputting data after certain bytes(rows) if there's no timestamp found, even though the data contains timestamp but in a latter position.