Why am I unable to capture an accurate timestamp from a CSV field in the middle of a log message and recognize it as GMT?

We're collecting logs which have the timestamp in the middle of the log message, which is also in GMT. I'm trying to define the pattern for the timestamp and tell Splunk to treat it as GMT. I've defined the following in props.conf: [splunk@ziva local]$ pwd /opt/splunk/etc/deployment-apps/DS-its-o365-audit/local [splunk@ziva local]$ cat props.conf [o365-audit-smtp] TIME_FORMAT = "%m/%d/%y %I:%M:%S %p" TZ = GMT And I also have the following transform to handle the CSV fields: [splunk@ziva local]$ pwd /opt/splunk/etc/deployment-apps/DS-transform/local [splunk@ziva local]$ head -10 transforms.conf | tail -5 # o365-audit CSV [o365-audit-smtp] DELIMS = "," FIELDS = "PSComputerName","RunspaceId","PSShowComputerName","Organization","MessageId","Received","SenderAddress","RecipientAddress","Subject","Status","ToIP","FromIP","Size","MessageTraceId","StartDate","EndDate","Index" The **Received** field is the timestamp that should be used for the **_time** field of the message. Received is properly populated, but the _time field is often off by a few seconds to several minutes, as is the case here: 17/12/2015 12:14:28.000 "ps.outlook.com","2d2269bb-7461-4cb2-b528-8cc6fb965d4b","False","uwoca.onmicrosoft.com","","12/17/2015 12:22:07 PM","sender@stats.uwo.ca","recipient@uwoca.onmicrosoft.com","Re: AS 2053 -- A Quick Question","Resolved","","129.100.1.9","19497","f06db2f9-9d22-470d-b27b-08d306dcae20","12/17/2015 6:00:00 AM","12/17/2015 12:00:00 PM","81130" Event Actions Type Field Value Actions Selected FromIP 129.100.1.9 RecipientAddress recipient@uwoca.onmicrosoft.com SenderAddress sender@stats.uwo.ca Subject Re: AS 2053 -- A Quick Question host O365-Audit Event EndDate 12/17/2015 12:00:00 PM Index 81130 MessageId MessageTraceId f06db2f9-9d22-470d-b27b-08d306dcae20 Organization uwoca.onmicrosoft.com PSComputerName ps.outlook.com PSShowComputerName False Received 12/17/2015 12:22:07 PM RunspaceId 2d2269bb-7461-4cb2-b528-8cc6fb965d4b SenderUsername sender Size 19497 StartDate 12/17/2015 6:00:00 AM Status Resolved index its-o365-audit linecount 1 splunk_server ducky.its.uwo.pri user sender user_combined sender Time _time 2015-12-17T12:14:28.000-05:00 Default punct "..","----","","..","<.@...>","//_::_","@..","@.." source C:\Logs\SMTP\SMTP_Logs_6HRS_12-17-2015_12-00-00.csv sourcetype o365-audit-smtp It's also not handling the time as GMT, if it's even handling that timestamp at all. What am I doing wrong?