From 2ed9aab2f13bf04186eccd7815e544016f74a6d7 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 12:24:51 -0700
Subject: [PATCH 1/8] feature/test_enhancements

Update tests to search epoch time
---
 .../etc/conf.d/conflib/_common/templates.conf |   2 +-
 .../context/common_event_format_source.csv    |   4 +-
 package/etc/conf.d/filters/cisco/ios.conf     |  26 ++--
 package/etc/conf.d/filters/cisco/ucm.conf     |  31 ++--
 .../conf.d/filters/citrix/netscaler.conf.tmpl |  16 +-
 .../conf.d/log_paths/lp-cisco_acs.conf.tmpl   |  38 +++--
 .../conf.d/log_paths/lp-cisco_ise.conf.tmpl   |  26 +++-
 .../conf.d/log_paths/lp-cisco_ucm.conf.tmpl   |   1 +
 .../conf.d/log_paths/lp-zscaler_lss.conf.tmpl |   6 +-
 .../conf.d/log_paths/lp-zscaler_nss.conf.tmpl |   1 -
 tests/test_checkpoint.py                      |  93 ++++++++----
 tests/test_cisco_acs.py                       |  56 ++-----
 tests/test_cisco_apic.py                      |  31 ++--
 tests/test_cisco_asa.py                       |  48 ++++--
 tests/test_cisco_ios.py                       |  63 ++++++--
 tests/test_cisco_ise.py                       |  49 +++++--
 tests/test_cisco_meraki.py                    |  17 ++-
 tests/test_cisco_nx_os.py                     |  31 ++--
 tests/test_cisco_ucm.py                       |  63 +++++---
 tests/test_citrix_netscaler.py                |  18 ++-
 tests/test_common.py                          | 103 +++++++++----
 tests/test_cyberark.py                        |  46 ++++--
 tests/test_forcepoint_web.py                  |  17 ++-
 tests/test_fortinet_ngfw.py                   |  70 +++------
 tests/test_fortinet_web.py                    |  83 +++--------
 tests/test_imperva.py                         |  17 ++-
 tests/test_infoblox.py                        |  32 ++--
 tests/test_juniper_junos_rfc3164.py           |  46 ++++--
 tests/test_juniper_junos_rfc5124.py           |  48 ++++--
 tests/test_juniper_legacy.py                  |  75 +++++++---
 tests/test_juniper_sslvpn.py                  |  18 ++-
 tests/test_linux_syslog.py                    |  60 +++++---
 tests/test_microfocus_arcsight.py             |  73 ++++++---
 tests/test_palo_alto.py                       |  64 +++++---
 tests/test_pfsense.py                         |  47 ++++--
 tests/test_plugin_example.py                  |  17 ++-
 tests/test_proofpoint.py                      |  32 ++--
 tests/test_symantec_brightmail.py             |  66 +++++----
 tests/test_symantec_proxy.py                  |  19 ++-
 tests/test_ubiquiti_unifi.py                  |  60 +++++---
 tests/test_vmware.py                          |  51 +++++--
 tests/test_zscaler_proxy.py                   | 138 +++++++++++++-----
 tests/timeutils.py                            |  41 ++++++
 43 files changed, 1219 insertions(+), 624 deletions(-)
 create mode 100644 tests/timeutils.py

diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index cc49e3b..bf8a218 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -31,7 +31,7 @@ template t_msg_trim {
 # ===============================================================================================
 
 template t_everything {
-        template("${ISODATE} ${HOST} ${MSGHDR}${MESSAGE}");
+        template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}");
         };
 
 # ===============================================================================================
diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv
index d668350..1aaa666 100644
--- a/package/etc/conf.d/context/common_event_format_source.csv
+++ b/package/etc/conf.d/context/common_event_format_source.csv
@@ -1,4 +1,6 @@
 ArcSight_ArcSight,source,ArcSight:ArcSight
+Carbon Black_Protection,sourcetype,carbonblack:protection:cef
+Carbon Black_Protection,index,cb:cef
 Cyber-Ark_Vault,sourcetype,cyberark:epv:cef
 Cyber-Ark_Vault,index,netauth
 CyberArk_PTA,sourcetype,cyberark:pta:cef
@@ -9,4 +11,4 @@ Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows
 Microsoft_Microsoft Windows,index,oswinsec
 Incapsula_SIEMintegration,source,Imperva:Incapsula
 Incapsula_SIEMintegration,index,netwaf
-unknown,source,ArcSight:unknown
+unknown,source,CEF:unknown
diff --git a/package/etc/conf.d/filters/cisco/ios.conf b/package/etc/conf.d/filters/cisco/ios.conf
index 0a2667e..4b7f995 100644
--- a/package/etc/conf.d/filters/cisco/ios.conf
+++ b/package/etc/conf.d/filters/cisco/ios.conf
@@ -9,26 +9,30 @@ parser cisco-parser-ex{
     channel {
         filter {
             #message('^<\d*>(?:(?<ciscoseq>\d+)\: )?(?:(?<HOST>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(?<ciscorule>\d+): )?(?:(?<ciscotimereliable>\*)?(?<ciscotime>(?<time>\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(?<ciscofrac>\.\d{3,6})? ?(?<ciscotz>\w+)?): )?(?:(?<ciscouptime>\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(?<cisomsg>(?<ciscoprogram>%.{2,15}\-\d{1,3}\-[^:]{3,}): (?<ciscodescription>.*))' flags(store-matches));            
-            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?(?: [AP]M)? ?(?:\w+)?): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));            
+            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( \w+)?: )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));
         };        
         if {
             #Mar  4 11:45:20
             #Apr 29 13:58:46.000001
             #Apr 29 13:58:46.411
-            #Mar  1 18:48:50.483 UTC
+            #Mar  1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
+            # guess-timezone() will be used to reconcile timezones
             parser {
-                    date-parser(format('%b %d %I:%M:%S %p.%f',
-                                    '%b %d %I:%M:%S %p',                                            
+                    date-parser(format(
                                     '%b %d %H:%M:%S.%f',
                                     '%b %d %H:%M:%S',
-                                    '%b %d %H:%M:%S %Z',
-                                    '%b %d %Y %H:%M:%S.%f',
-                                    '%b %d %Y %H:%M:%S.%f %Z',
-                                    '%b %d %Y %H:%M:%S')
-                template("$7")                        
+                                    '%b %d %I:%M:%S %p.%f',
+                                    '%b %d %I:%M:%S %p',
+                                    '%b %d %Y %H:%M:%S.%f'
+                                    '%b %d %Y %H:%M:%S',
+                                    )
+                template("$7")
                 flags(guess-timezone)
                 );
             };
+        } else {
+#           rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
+            rewrite { set("date/time parser failed on string $7" value("fields.sc4s_error")); };
         };
         rewrite {
             set(
@@ -37,11 +41,11 @@ parser cisco-parser-ex{
                 condition(match('..' value('4')))
             );            
             set(        
-                "$9",
+                "$11",
                 value("PROGRAM")                
             );            
             set(
-                "$10",
+                "$12",
                 value("MSG")                
             );
         };
diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf
index a193625..811ae0d 100644
--- a/package/etc/conf.d/filters/cisco/ucm.conf
+++ b/package/etc/conf.d/filters/cisco/ucm.conf
@@ -7,20 +7,31 @@ filter f_cisco_ucm {
 
 filter f_cisco_ucm_message {
     message(
-        '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*) : (%.*)' 
+#        '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*[A|P]M\.\d{3}) (\w{3}) : (%.*)'
+#       '^(<\d{1,3}>)\d*: (?:([^:]+): )?(.*) : (%.*)'
+        '^(<\d{1,3}>)\d*: (?:([^:]+): )?(\w{3} \d{1,2} (\d{4} )?\d\d:\d\d:\d\d(?: [AP]M)?(\.\d{3,6})?)([^:]*): (%[A-Z].*)'
         flags(store-matches)
     );
 };
 
 parser p_cisco_ucm_date {
-    #Oct 14 2015 05:50:19 AM.484 UTC
-    #Apr 21 19:01:35.638 UTC
-    date-parser(format(
-        '%b %d %Y %I:%M:%S %p.%f %Z',
-        '%b %d %H:%M:%S.%f %Z'
-        )
-        template("$3")
-    );
+    channel {
+        #Oct 14 2015 05:50:19 AM.484 (timezone skipped; '%Z' date-parser only works for local TZ)
+        #Apr 21 19:01:35.638 (timezone skipped; '%Z' date-parser only works for local TZ)
+        if {
+            parser {
+                date-parser(format(
+                    '%b %d %Y %l:%M:%S %p.%f',
+                    '%b %d %H:%M:%S.%f'
+                    )
+                    template("$3")
+                    flags(guess-timezone)
+                );
+            };
+        } else {
+            rewrite { set("date/time parser failed on string $3" value("fields.sc4s_error")); };
+        };
+    };
 };
 
 rewrite r_cisco_ucm_message {
@@ -28,5 +39,5 @@ rewrite r_cisco_ucm_message {
     set("cisco_ucm" value("fields.sc4s_vendor_product"));
     set("$HOST_FROM" value("HOST") );
     set("$2" value("HOST") condition(match("^..." template("${2}"))) );
-    set("$4" value("MESSAGE"));
+    set("$7" value("MESSAGE"));
 };
diff --git a/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl b/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
index 57a1dbf..9196f51 100644
--- a/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
+++ b/package/etc/conf.d/filters/citrix/netscaler.conf.tmpl
@@ -3,7 +3,7 @@ filter f_citrix_netscaler {
 };
 filter f_citrix_netscaler_message {
     message(
-        '^(<\d{1,3}>) (\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d [^ ]{3}+) ([^ ]+) (.*)' 
+        '^(<\d{1,3}>) (\d\d\/\d\d\/\d\d\d\d\:\d\d:\d\d:\d\d) ([^ ]{3}+) ([^ ]+) (.*)'
         flags(store-matches)
     );
 };
@@ -11,18 +11,20 @@ filter f_citrix_netscaler_message {
 parser p_citrix_netscaler_date {
 {{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "no")) }}
     #10/01/2001:01:01:01 GMT
-    date-parser(format('%m/%d/%Y:%H:%M:%S %Z')
-                template("$2"));
+    date-parser(format("%m/%d/%Y:%H:%M:%S")
+                template("$2")
+                flags(guess-timezone));
 {{- else }}
     #01/10/2001:01:01:01 GMT
-    date-parser(format('%d/%m/%Y:%H:%M:%S %Z')
-                template("$2"));
+    date-parser(format("%d/%m/%Y:%H:%M:%S")
+                template("$2")
+                flags(guess-timezone));
 {{- end }}
 };
 
 rewrite r_citrix_netscaler_message {
     set("citrix_netscaler" value("fields.sc4s_syslog_format"));
     set("citrix_netscaler" value("fields.sc4s_vendor_product"));
-    set("$3" value("HOST"));
-    set("$4" value("MESSAGE"));
+    set("$4" value("HOST"));
+    set("$5" value("MESSAGE"));
 };
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
index ff1109a..5288c07 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -10,29 +10,36 @@ filter f_cisco_acs_complete{
     match("yes", value("ACS.COMPLETE") type(glob));
 };
 
-#This parser adds messages from ACS to a context without sending them
-#forward to Splunk
-parser acs_grouping {
+#This grabs the sequence numbers from the event; message gets group-parsed
+#if the total number of events (ACS.seq) is greater than 1
+
+parser acs_get_sequence {
     csv-parser(
         columns(PID, ACS.num, ACS.seq, MESSAGE)
         delimiters(chars(" "))
         flags(greedy)
     );
+};
+
+#This parser adds messages from ACS to a context without sending them on to Splunk
+
+parser acs_grouping {
     grouping-by(
         scope(program)
         key("$PID")
         trigger("$(+ ${ACS.seq} 1)" == "${ACS.num}")
         sort-key("${ACS.seq}")
         aggregate(
-             value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
-             value("ACS.COMPLETE" "yes")
+            value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
+            value("ACS.COMPLETE" "yes")
         )
         timeout(10)
     );
 };
 
-# The syslog message includes a date with nano seconds and TZ which is not in the header
-# So must reparse the date
+#The syslog message includes a date with milliseconds and TZ which is not in the header
+#So must reparse the date
+
 parser acs_event_time {
     csv-parser(
         columns(ACS.DATE, ACS.TIME, ACS.TZ, MESSAGE)
@@ -65,7 +72,14 @@ log {
         };
     };
 
-    parser(acs_grouping);
+# Do not run the events through the group parser if there is only one event
+    parser(acs_get_sequence);
+    if (match("1" value("ACS.num"))) {
+        rewrite { set("yes" value("ACS.COMPLETE"));
+        };
+    } else {
+        parser(acs_grouping);
+    };
 
     if {
         filter(f_cisco_acs_complete);
@@ -87,14 +101,6 @@ log {
         destination(d_archive);
 {{- end}}
 
-{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }}
-    {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
-{{- end }}
-
-{{- if (print (getenv "SC4S_DEST_CISCO_ACS_ALTERNATES")) }}
-    {{ getenv "SC4S_DEST_CISCO_ACS_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n    destination(" }});
-{{- end }}
-
         flags(flow-control,final);
     };
 
diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
index a7d47e1..ec5c3c2 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
@@ -10,29 +10,34 @@ filter f_cisco_ise_complete{
     match("yes", value("ISE.COMPLETE") type(glob));
 };
 
-#This parser adds messages from ISE to a context without sending them
-#forward to Splunk
+#This grabs the sequence numbers from the event; message gets group-parsed
+#if the total number of events (ISE.seq) is greater than 1
 
-parser ise_grouping {
+parser ise_get_sequence {
     csv-parser(
         columns(PID, ISE.num, ISE.seq, MESSAGE)
         delimiters(chars(" "))
         flags(greedy)
     );
+};
+
+#This parser adds messages from ISE to a context without sending them on to Splunk
+
+parser ise_grouping {
     grouping-by(
         scope(program)
         key("$PID")
         trigger("$(+ ${ISE.seq} 1)" == "${ISE.num}")
         sort-key("${ISE.seq}")
         aggregate(
-             value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
-             value("ISE.COMPLETE" "yes")
+            value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
+            value("ISE.COMPLETE" "yes")
         )
         timeout(10)
     );
 };
 
-#The syslog message includes a date with nano seconds and TZ which is not in the header
+#The syslog message includes a date with milliseconds and TZ which is not in the header
 #So must reparse the date
 
 parser ise_event_time {
@@ -67,7 +72,14 @@ log {
         };
     };
 
-    parser(ise_grouping);
+# Do not run the events through the group parser if there is only one event
+    parser(ise_get_sequence);
+    if (match("1" value("ISE.num"))) {
+        rewrite { set("yes" value("ISE.COMPLETE"));
+        };
+    } else {
+        parser(ise_grouping);
+    };
 
     if {
         filter(f_cisco_ise_complete);
diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
index 61d0274..a20bbd8 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
@@ -44,6 +44,7 @@ log {
 
     rewrite {
         set("cisco_ucm", value("fields.sc4s_vendor_product"));
+        set("$S_UNIXTIME.$S_MSEC", value("fields.sc4s_time"));
         r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main"))
     };
     parser {p_add_context_splunk(key("cisco_ucm")); };
diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
index 3df79f6..055984f 100644
--- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
@@ -23,10 +23,8 @@ log {
     parser {
         #.jsonLog.Timestamp Mar 04 20:37:53 2020
                 date-parser(
-                format("%b %d %H:%M:%S %Y",
-                       "%h %d %H:%M:%S %Y",
-                       "%b %d %k:%M:%S %Y",
-                       "%h %d %k:%M:%S %Y")
+                format("%a %b %d %H:%M:%S %Y",
+                       "%a %b %d %k:%M:%S %Y")
                 template("${.json.LogTimestamp}")
                 time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})
                 flags(guess-timezone)
diff --git a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
index cc14627..b7b4c48 100644
--- a/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_nss.conf.tmpl
@@ -35,7 +35,6 @@ log {
             #basic parsing
             kv-parser(prefix(".kv.") pair-separator("\t") template("${MSG}"));
         };
-
         
         if (match("dns" value(".kv.product"))) {
         rewrite { r_set_splunk_dest_default(sourcetype("zscalernss-dns"), index("netdns"))};
diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py
index efd52e0..77f8cc8 100644
--- a/tests/test_checkpoint.py
+++ b/tests/test_checkpoint.py
@@ -9,22 +9,29 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #
 #Oct 8 15:00:25 DEVICENAME time=1570561225|hostname=devicename|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time=1570561225|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|
 def test_checkpoint_splunk_ips(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} time={% now 'local', '%s' %}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={% now 'local', '%s' %}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={{ epoch }}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -38,14 +45,20 @@ def test_checkpoint_splunk_ips(record_property, setup_wordlist, setup_splunk, se
 def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} time={% now 'local', '%s' %}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={% now 'local', '%s' %}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -59,14 +72,20 @@ def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splun
 def test_checkpoint_splunk_mds(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} |hostname={{ host }}|time={% now 'local', '%s' %}|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={% now 'local', '%s' %}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login|\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login|\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -80,14 +99,20 @@ def test_checkpoint_splunk_mds(record_property, setup_wordlist, setup_splunk, se
 def test_checkpoint_splunk_cpmi(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} |hostname={{ host }}|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={% now 'local', '%s' %}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -101,14 +126,20 @@ def test_checkpoint_splunk_cpmi(record_property, setup_wordlist, setup_splunk, s
 def test_checkpoint_splunk_web_api(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} |hostname={{ host }}|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={% now 'local', '%s' %}|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -122,14 +153,20 @@ def test_checkpoint_splunk_web_api(record_property, setup_wordlist, setup_splunk
 def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Checkpoint
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} time={% now 'local', '%s' %}|hostname={{ host }}|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time={% now 'local', '%s' %}|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login|\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time={{ epoch }}|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login|\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"cp_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"")
+    search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -139,21 +176,19 @@ def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_s
 
     assert resultCount == 1
 
-
 #<6>kernel: sd 2:0:0:0: SCSI error: return code = 0x00040000
 def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-
     mt = env.from_string(
         "{{ mark }}kernel: sd 2:0:0:0: SCSI error: return code = 0x{{pid}}\n")
     message = mt.render(mark="<6>", pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"0x{{ pid }}\" sourcetype=\"nix:syslog\" | head 2")
-    search = st.render(pid=pid)
+    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"0x{{ pid }}\" sourcetype=\"nix:syslog\"")
+    search = st.render(host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cisco_acs.py b/tests/test_cisco_acs.py
index a26e19d..22efa5e 100644
--- a/tests/test_cisco_acs.py
+++ b/tests/test_cisco_acs.py
@@ -4,55 +4,26 @@
 # license that can be found in the LICENSE-BSD2 file or at
 # https://opensource.org/licenses/BSD-2-Clause
 import random
-import datetime
 
 from jinja2 import Environment
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
 env = Environment()
 
-# Helper functions
-# Insert a character at given location in string (e.g space between ms and TZ offset 2020-02-12 12:46:39.323 -08:00)
-def insert_char(string, char, integer):
-    return string[0:integer] + char + string[integer:]
-
-def time_operations(dt):
-    # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00)
-    # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python
-    iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds')
-    # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00)
-    bsd = dt.strftime("%b %d %H:%M:%S")
-
-    # Other variants of timestamps needed for this log sample
-    time = dt.strftime("%H:%M:%S.%f")[:-3]
-    date = dt.strftime("%Y-%m-%d")
-    # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")'
-    # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)'
-    tzoffset = dt.astimezone().strftime("%z")[0:3] + ":" + dt.astimezone().strftime("%z")[3:]
-
-    # Derive epoch timestamp for use in search string
-    # NOTE:  There are caveats with 'strftime("%s")', see references below
-
-    # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime
-    # See https://docs.python.org/3/library/datetime.html#datetime-objects
-    # Basically: Don't use 'utcnow()'
-
-    # Strict way to get epoch as a string (rather than float) avoiding naive objects
-    # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s')
-
-    # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK
-    # Trim last 3 or 7 characters of microsecond resolution to obtain milliseconds or whole seconds, respectively
-    epoch = dt.astimezone().strftime("%s.%f")[:-3]
-
-    return iso, bsd, time, date, tzoffset, epoch
-
 def test_cisco_acs_single(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco ACS
+    time = time[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
+
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} {{ host }} CSCOacs_Passed_Authentications 0765855540 1 0 {{ date }} {{ time }} {{ tzoffset }} 0178632943 5202 NOTICE Device-Administration: Command Authorization succeeded, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=16489, Device IP Address=10.0.0.93, DestinationIPAddress=10.0.0.10, DestinationPort=49, UserName=nsdevman, CmdSet=[ CmdAV=show CmdArgAV=vpn-sessiondb CmdArgAV=full CmdArgAV=ra-ikev2-ipsec ], Protocol=Tacacs, MatchedCommandSet=fw3, RequestLatency=11, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=nsdevman, Port=443, Remote-Address=10.0.0.15, Authen-Method=TacacsPlus, Service-Argument=shell, AcsSessionID=mnsvdcfpiuac03/359448835/9871764, AuthenticationIdentityStore=AD1, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedCommandSet=fw3, IdentityGroup=IdentityGroup:All Groups:SystemID, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15004 , Step=15013 , Step=24210 , Step=24212 , Step=24432 , Step=24325 , Step=24313 , Step=24319 , Step=24323 , Step=24420 , Step=24355 , Step=24416 , Step=22037 , Step=15044 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15018 , Step=13024 , Step=13034 , SelectedAuthenticationIdentityStores=Internal Users, NetworkDeviceName=devicenamehere, NetworkDeviceGroups=Device Type:All Device Types:Firewall:Cisco Systems:Firewall:ASA5545, NetworkDeviceGroups=Location:All Locations:MN, ServiceSelectionMatchedRule=TACACS, IdentityPolicyMatchedRule=Firewall, AuthorizationPolicyMatchedRule=nsdevman, AD-User-Candidate-Identities=nsdevman@ent.example.corp, AD-User-DNS-Domain=ent.example.corp, AD-User-NetBios-Name=AD-ENT, AD-User-Resolved-Identities=nsdevman@ent.example.corp, AD-User-Join-Point=ENT.example.CORP, AD-User-Resolved-DNs=CN=nsdevman\,OU=Service Accounts\,OU=CAO\,OU=ENT\,DC=ent\,DC=wfb\,DC=example\,DC=corp, StepData=10=nsdevman, StepData=11=ent.example.corp, StepData=12=example.corp, StepData=15=ent.example.corp, AD-Domain=ent.example.corp, IdentityAccessRestricted=false, UserIdentityGroup=IdentityGroup:All Groups:SystemID, Cisco-Firewall=Superuser, Firewall=Superuser, NetSec-CSM=User, NetSec-Logging=Engineer, Response={Type=Authorization; Author-Reply-Status=PassAdd; ExternalIdentityStoreName=AD1; }\n")
@@ -75,10 +46,15 @@ def test_cisco_acs_multi(record_property, setup_wordlist, setup_splunk, setup_sc
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco ACS
+    time = time[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
 
     mt = env.from_string(
-        "{{ mark }} {{ bsd }} {{ host }} CSCOacs_Passed_Authentications 0000000002 2 0 {{ date }} {{ time }} {{ tzoffset }} 0000008450 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=117, Device IP Address=192.168.26.137, UserName=edward, CmdSet=[ CmdAV= ], Protocol=Tacacs, RequestLatency=10, NetworkDeviceName=switch, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=edward, Port=tty2, Remote-Address=10.78.167.190, Authen-Method=TacacsPlus, Service-Argument=shell, AcsSessionID=ACS41/101085887/112, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Permit Access, IdentityGroup=IdentityGroup:All Groups, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22037 , Step=15044 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15017 , Step=13034 ,\n")
+        "{{ mark }} {{ bsd }} {{ host }} CSCOacs_Passed_Authentications 0000000002 2 0 {{ date }} {{ time }} {{ tzoffset }} 0000008450 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=117, Device IP Address=192.168.26.137, UserName=edward, CmdSet=[ CmdAV= ], Protocol=Tacacs, RequestLatency=10, NetworkDeviceName=switch, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=edward, Port=tty2, Remote-Address=10.78.167.190, Authen-Method=TacacsPlus, Service-Argument=shell, AcsSessionID=ACS41/101085887/112, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Permit Access, IdentityGroup=IdentityGroup:All Groups, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22037 , Step=15044 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15017 , Step=13034 , \n")
     message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
@@ -88,7 +64,7 @@ def test_cisco_acs_multi(record_property, setup_wordlist, setup_splunk, setup_sc
 
     mt = env.from_string(
         "{{ mark }} {{ second_bsd }} {{ host }} CSCOacs_Passed_Authentications 0000000002 2 1 Step=13015 , SelectedAuthenticationIdentityStores=Internal Users, NetworkDeviceGroups=s1Migrated_NDGs:All s1Migrated_NDGs, NetworkDeviceGroups=Device Type:All Device Types, NetworkDeviceGroups=Location:All Locations, ServiceSelectionMatchedRule=Rule-2, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Rule-0, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, Remote-Address=10.78.167.190, UserIdentityGroup=IdentityGroup:All\n")
-    message = mt.render(mark="<165>", second_bsd=second_bsd, host=host)
+    message = mt.render(mark="<165>", second_bsd=second_bsd, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:acs\" \"Step=13015\"")
diff --git a/tests/test_cisco_apic.py b/tests/test_cisco_apic.py
index 4599650..5f59fea 100644
--- a/tests/test_cisco_apic.py
+++ b/tests/test_cisco_apic.py
@@ -9,20 +9,27 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<11>July 22 22:45:28 apic1 %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110] Node 102 not reachable. unknown
 def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco APIC
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110]\n")
-    message = mt.render(mark="<165>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} %LOG_LOCAL0-2-SYSTEM_MSG [F0110][soaking][node-failed][critical][topology/pod-1/node-102/fault-F0110]\n")
+    message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"cisco:apic:events\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cisco:apic:events\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -36,13 +43,19 @@ def test_cisco_aci(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 def test_cisco_aci_acl(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco APIC
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} %ACLLOG-5-ACLLOG_PKTLOG unable to locate real message\n")
-    message = mt.render(mark="<165>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} %ACLLOG-5-ACLLOG_PKTLOG unable to locate real message\n")
+    message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"cisco:apic:acl\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cisco:apic:acl\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cisco_asa.py b/tests/test_cisco_asa.py
index 4d71789..77a934f 100644
--- a/tests/test_cisco_asa.py
+++ b/tests/test_cisco_asa.py
@@ -9,8 +9,9 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 
 # Apr 15 2017 00:21:14 192.168.12.1 : %ASA-5-111010: User 'john', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
@@ -19,14 +20,20 @@
 def test_cisco_asa_traditional(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-003164\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-003164\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -40,14 +47,20 @@ def test_cisco_asa_traditional(record_property, setup_wordlist, setup_splunk, se
 def test_cisco_asa_traditional_nohost(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %}: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from {{host}} (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }}: %ASA-4-402119: IPSEC: Received an ESP packet (SPI= 0x0C190BF9, sequence number= 0x598243) from {{host}} (user= 192.0.0.1) to 192.0.0.2 that failed anti-replay checking.\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" \"{{ host }}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw sourcetype=\"cisco:asa\" \"%ASA-4-402119\" \"{{ host }}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -62,14 +75,23 @@ def test_cisco_asa_traditional_nohost(record_property, setup_wordlist, setup_spl
 def test_cisco_asa_rfc5424(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+#   Get UTC-based 'dt' time structure
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso = dt.isoformat()[0:19]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%SZ' %} {{ host }} : %ASA-3-005424: TCP access denied by ACL from 179.236.133.160/5424 to outside:72.142.18.38/23\n")
-    message = mt.render(mark="<166>", host=host)
+        "{{ mark }} {{ iso }}Z {{ host }} : %ASA-3-005424: TCP access denied by ACL from 179.236.133.160/5424 to outside:72.142.18.38/23 epoch={{ epoch }}\n")
+    message = mt.render(mark="<166>", iso=iso, epoch=epoch, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-005424\"| head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-005424\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
index 8d25926..94cfca9 100644
--- a/tests/test_cisco_ios.py
+++ b/tests/test_cisco_ios.py
@@ -8,9 +8,10 @@
 
 from .sendmessage import *
 from .splunkutils import *
-import pytest
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+from .timeutils import *
 
+import pytest
+env = Environment()
 
 #30: foo: 6340004: *Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
 #30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
@@ -27,34 +28,46 @@
 #*Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
 
 testdata = [
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{% now 'local', '%b %d %H:%M:%S' %}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: *{% now 'local', '%b %d %H:%M:%S' %}.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ seq }}: {{ host }}: *{% now 'local', '%b %d %H:%M:%S' %}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: *{% now 'local', '%b %d %H:%M:%S' %}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: {% now 'local', '%b %d %H:%M:%S' %}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: {% now 'local', '%b %d %H:%M:%S' %}.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ seq }}: {{ host }}: {% now 'local', '%b %d %H:%M:%S' %}.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: {% now 'local', '%b %d %H:%M:%S' %}.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
+        "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}",
+        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+        "{{ mark }}{{ host }}: *{{ bsd }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
+        "{{ mark }}{{ seq }}: {{ host }}: 6340004: {{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+        "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
+        "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
+    ]
+
+testdata_uptime = [
         "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
         "{{ mark }}00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
         "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
         "{{ mark }}{{ seq }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
         "{{ mark }}{{ seq }}: {{ host }}: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.",
-        "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}",
-        "{{ mark }}*{% now 'local', '%b %d %H:%M:%S' %}.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
+        "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}"
     ]
 
 @pytest.mark.parametrize("event", testdata)
 def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+    time = time[:-7]
+    millisec = iso[20:23]
+    microsec = iso[20:26]
+
     mt = env.from_string(event + "\n")
-    message = mt.render(mark="<166>", seq=20, host=host)
+    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time, millisec=millisec, microsec=microsec, tzname=tzname, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\") | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(epoch=epoch, millisec=millisec, microsec=microsec, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -63,3 +76,23 @@ def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk,
     record_property("message", message)
 
     assert resultCount == 1
+
+@pytest.mark.parametrize("event", testdata_uptime)
+def test_cisco_ios_uptime(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+    host = get_host_key
+ 
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<166>", seq=20, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search index=netops earliest=-1m@m latest=+1m@m sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(host=host)
+ 
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+ 
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
diff --git a/tests/test_cisco_ise.py b/tests/test_cisco_ise.py
index c3ff69c..bee913c 100644
--- a/tests/test_cisco_ise.py
+++ b/tests/test_cisco_ise.py
@@ -9,39 +9,48 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 0 2019-04-24 15:00:48.610 +00:00 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04,
 #<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 1  AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92,
 #<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 2  PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown,
 #<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 3  Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },
 
-def test_cisco_ise(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco ACS
+    time = time[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {% now 'utc', '%Y-%m-%d %H:%M:%S' %}.610 +00:00 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04,\n")
-    message = mt.render(mark="<165>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {{ date }} {{ time }} {{ tzoffset }} 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04,\n")
+    message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} CISE_Passed_Authentications 0001939187 4 1  AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92,\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 1  AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92,\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} CISE_Passed_Authentications 0001939187 4 2  PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown,\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 2  PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown,\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} CISE_Passed_Authentications 0001939187 4 3  Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 3  Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" | head 11")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -55,13 +64,21 @@ def test_cisco_ise(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 def test_cisco_ise_single(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Cisco ACS
+    time = time[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} CISE_RADIUS_Accounting 0006028545 1 0 {% now 'utc', '%Y-%m-%d %H:%M:%S' %}.305 +00:00 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco,\n")
-    message = mt.render(mark="<165>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} CISE_RADIUS_Accounting 0006028545 1 0 {{ date }} {{ time }} {{ tzoffset }} 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco,\n")
+    message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" | head 11")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py
index 62c4ab6..d92c443 100644
--- a/tests/test_cisco_meraki.py
+++ b/tests/test_cisco_meraki.py
@@ -9,21 +9,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection
 def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch_ms = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }}1 {% now 'local', '%s' %}.123456789 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={% now 'local', '%s' %}.123456 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }}1 {{ epoch }}123 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={{ epoch }} dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n")
+    message = mt.render(mark="<134>", epoch=epoch, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"testcm-{{ host }}\" sourcetype=\"meraki\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch_ms }} index=netfw host=\"testcm-{{ host }}\" sourcetype=\"meraki\"")
+    search = st.render(epoch_ms=epoch_ms, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cisco_nx_os.py b/tests/test_cisco_nx_os.py
index 1f9ed65..fe7cfa0 100644
--- a/tests/test_cisco_nx_os.py
+++ b/tests/test_cisco_nx_os.py
@@ -8,21 +8,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 # Nov 1 14:07:58 excal-113 %MODULE-5-MOD_OK: Module 1 is online
 def test_cisco_nx_os(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} csconx-{{ host }} %MODULE-5-MOD_OK: Module 1 is online")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} csconx-{{ host }} %MODULE-5-MOD_OK: Module 1 is online")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"csconx-{{ host }}\" sourcetype=\"cisco:ios\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"csconx-{{ host }}\" sourcetype=\"cisco:ios\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -37,14 +44,20 @@ def test_cisco_nx_os(record_property, setup_wordlist, get_host_key, setup_splunk
 #def test_cisco_nx_os_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
 #    host = get_host_key
 #
+#    dt = datetime.datetime.now()
+#    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+#
+#    # Tune time functions
+#    epoch = epoch[:-7]
+#
 #    mt = env.from_string(
-#        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} %MODULE-5-MOD_OK: Module 1 is online")
-#    message = mt.render(mark="<23>", host=host)
+#        "{{ mark }} {{ bsd }} {{ host }} %MODULE-5-MOD_OK: Module 1 is online")
+#    message = mt.render(mark="<23>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 #
 #    sendsingle(message, host="sc4s-nx-os")
 #
-#    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cisco:ios\" | head 2")
-#    search = st.render(host=host)
+#    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cisco:ios\"")
+#    search = st.render(epoch=epoch, host=host)
 #
 #    resultCount, eventCount = splunk_single(setup_splunk, search)
 #
diff --git a/tests/test_cisco_ucm.py b/tests/test_cisco_ucm.py
index bbe24cf..99c09bd 100644
--- a/tests/test_cisco_ucm.py
+++ b/tests/test_cisco_ucm.py
@@ -9,8 +9,9 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 # https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf/TECUCC-3000.pdf
 
@@ -21,14 +22,21 @@ def test_cisco_ucm_nohost_auditlog(record_property, setup_wordlist, setup_splunk
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    ucm_time = dt.strftime("%b %d %Y %I:%M:%S %p.%f")[:-3]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }}8103: {% now 'utc', '%b %d %Y %I:%M:%S %p' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.168.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
-    message = mt.render(mark="<189>", host=host)
+        "{{ mark }}8103: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.168.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
+    message = mt.render(mark="<189>", tzname=tzname, ucm_time=ucm_time, host=host, epoch=epoch)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        "search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11")
-    search = st.render(host=host)
+        "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -44,14 +52,21 @@ def test_cisco_ucm_nohost_rtmt(record_property, setup_wordlist, setup_splunk, se
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    ucm_time = dt.strftime("%b %d %H:%M:%S.%f")[:-3]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }}17: {% now 'utc', '%b %d %H:%M:%S' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
-    message = mt.render(mark="<189>", host=host)
+        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application {{ ucm_time }} {{ epoch }}\n")
+    message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host, epoch=epoch)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        "search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11")
-    search = st.render(host=host)
+        "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -68,14 +83,21 @@ def test_cisco_ucm_host_auditlog(record_property, setup_wordlist, setup_splunk,
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    ucm_time = dt.strftime("%b %d %Y %I:%M:%S %p.%f")[:-3]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }}23813: {% now 'utc', '%b %d %Y %I:%M:%S %p' %}.100 UTC : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
-    message = mt.render(mark="<189>", host=host)
+        "{{ mark }}23813: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
+    message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        "search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11")
-    search = st.render(host=host)
+        "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -92,14 +114,21 @@ def test_cisco_ucm_nohost_alert(record_property, setup_wordlist, setup_splunk, s
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    ucm_time = dt.strftime("%b %d %H:%M:%S.%f")[:-3]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }}17: {% now 'utc', '%b %d %H:%M:%S' %}.100 UTC : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}}\n")
-    message = mt.render(mark="<189>", host=host)
+        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}} {{ ucm_time }} {{ epoch }}\n")
+    message = mt.render(mark="<189>", epoch=epoch, ucm_time=ucm_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
-        "search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\" | head 11")
-    search = st.render(host=host)
+        "search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cisco:ucm\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_citrix_netscaler.py b/tests/test_citrix_netscaler.py
index a382acf..737182b 100644
--- a/tests/test_citrix_netscaler.py
+++ b/tests/test_citrix_netscaler.py
@@ -12,21 +12,29 @@
 from .sendmessage import *
 from .splunkutils import *
 import random
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<12> 01/10/2001:01:01:01 GMT netscaler ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -
 def test_citrix_netscaler(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "test-ctitrixns-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'utc', '%d/%m/%Y:%H:%M:%S' %} GMT {{ host }} ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -\n")
-    message = mt.render(mark="<12>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%d/%m/%Y:%H:%M:%S")
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ time }} {{ tzname }} {{ host }} ABC-D : SSLVPN HTTPREQUEST 1234567 : Context username@192.0.2.1 - SessionId: 12345- example.com User username : Group(s) groupname : Vserver a1b2:c3d4:e5f6:a7b8:c9d0:e1f2:a3b4:c5d6:123 - 01/01/2001:01:01:01 GMT GET file/path.gif - -\n")
+    message = mt.render(mark="<12>", bsd=bsd, time=time, tzname=tzname, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=netfw host={{ host }} sourcetype=\"citrix:netscaler:syslog\"")
+    search = st.render(epoch=epoch, host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_common.py b/tests/test_common.py
index 42207ae..166d824 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -7,23 +7,31 @@
 import random
 import pytz
 
-from jinja2 import Environment, environment
+from jinja2 import Environment
+from pytest import mark
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 def test_defaultroute(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} test something else\n")
-    message = mt.render(mark="<111>", host=host)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} test something else\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" PROGRAM=\"test\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" PROGRAM=\"test\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -33,16 +41,23 @@ def test_defaultroute(record_property, setup_wordlist, setup_splunk, setup_sc4s)
 
     assert resultCount == 1
 
+@mark.skip()
 def test_internal(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} sc4sdefault[0]: test\n")
-    message = mt.render(mark="<111>", host=host)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} sc4sdefault[0]: test\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main NOT host=\"{{ host }}\" sourcetype=\"sc4s:events\" | head 1")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main NOT host=\"{{ host }}\" sourcetype=\"sc4s:events\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -55,13 +70,19 @@ def test_internal(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 def test_fallback(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} testvp-{{ host }} test\n")
-    message = mt.render(mark="<111>", host=host)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} testvp-{{ host }} test\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"testvp-{{ host }}\" sourcetype=\"sc4s:fallback\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"testvp-{{ host }}\" sourcetype=\"sc4s:fallback\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -87,14 +108,20 @@ def test_tz_guess(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'America/Los_Angeles', '%b %d %H:%M:%S' %} {{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-003164\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cisco:asa\" \"%ASA-3-003164\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -112,15 +139,26 @@ def test_tz_fix_hst(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 # 10 minute offset (reserved for future use)
 #   dt = datetime.datetime.utcnow() - datetime.timedelta(hours=10, minutes=10)
 
-    dt = datetime.datetime.utcnow() - datetime.timedelta(hours=10)
+#   dt = datetime.datetime.utcnow() - datetime.timedelta(hours=10)
+
+# Set the date to Hawaii time
+    dt = datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(hours=10)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
     mt = env.from_string(
-        "{{ mark }} {{ dt }} tzfhst-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
-    message = mt.render(mark="<111>", host=host, dt=dt.strftime('%b %d %H:%M:%S'))
+        "{{ mark }} {{ bsd }} tzfhst-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"tzfhst-{{ host }}\" sourcetype=\"cisco:asa\"")
-    search = st.render(host=host)
+# Add the 10 hours back to search for current time
+    dt = dt + datetime.timedelta(hours=10)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    epoch = epoch[:-7]
+
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"tzfhst-{{ host }}\" sourcetype=\"cisco:asa\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -134,20 +172,23 @@ def test_tz_fix_ny(record_property, setup_wordlist, setup_splunk, setup_sc4s):
 
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
-    tz_NY = pytz.timezone('America/New_York')
-
 # 10 minute offset (reserved for future use)
-#   dt = datetime.datetime.now(tz_NY) - datetime.timedelta(minutes=10)
+#   dt = datetime.datetime.now(pytz.timezone('America/New_York')) - datetime.timedelta(minutes=10)
+
+    dt = datetime.datetime.now(pytz.timezone('America/New_York'))
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
 
-    dt = datetime.datetime.now(tz_NY)
     mt = env.from_string(
-        "{{ mark }} {{ dt }} tzfny-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
-    message = mt.render(mark="<111>", host=host, dt=dt.strftime('%b %d %H:%M:%S'))
+        "{{ mark }} {{ bsd }} tzfny-{{ host }} : %ASA-3-003164: TCP access denied by ACL from 179.236.133.160/3624 to outside:72.142.18.38/23\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"tzfny-{{ host }}\" sourcetype=\"cisco:asa\"")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"tzfny-{{ host }}\" sourcetype=\"cisco:asa\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_cyberark.py b/tests/test_cyberark.py
index ce6d916..96aa6d0 100644
--- a/tests/test_cyberark.py
+++ b/tests/test_cyberark.py
@@ -9,21 +9,29 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<5>1 2020-01-24T22:53:03Z REDACTEDHOSTNAME CEF:0|Cyber-Ark|Vault|10.9.0000|22|CPM Verify Password|5|act="CPM Verify Password" suser=PasswordManager fname=Root\Operating System-OBO-ISSO-Windows-Domain-Account-redacted dvc= shost=10.0.0.10 dhost= duser=redacted externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="re-dact-ted" cs3Label="Device Type" cs3="Operating System" cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2="VerificationPeriod"  msg="VerificationPeriod"
 def test_cyberark_epv_5424(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:19]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}1 {% now 'local', '%Y-%m-%dT%H:%M:%S' %}Z {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2=  msg=\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }}1 {{ iso }}Z {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2=  msg=\n")
+    message = mt.render(mark="<111>", iso=iso, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -37,14 +45,20 @@ def test_cyberark_epv_5424(record_property, setup_wordlist, setup_splunk, setup_
 def test_cyberark_epv(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2=  msg=\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }}{{ bsd }} {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=##USER_NAME## fname= dvc= shost=##SOURCE_IP## dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2=  msg=\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -58,14 +72,20 @@ def test_cyberark_epv(record_property, setup_wordlist, setup_splunk, setup_sc4s)
 def test_cyberark_pta(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{ host }} CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }}{{ bsd }} {{ host }} CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cyberark:pta:cef\"| head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cyberark:pta:cef\"| head 2")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_forcepoint_web.py b/tests/test_forcepoint_web.py
index 44c5df0..e99c9a7 100644
--- a/tests/test_forcepoint_web.py
+++ b/tests/test_forcepoint_web.py
@@ -9,21 +9,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<134>Oct 16 12:13:06 sourcehost2 vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg
 def test_forcepoint_webprotect_kv(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{ host }} vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg unknownfield=-\n")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }}{{ bsd }} {{ host }} vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg unknownfield=-\n")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy host=\"{{ host }}\" sourcetype=\"websense:cg:kv\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"websense:cg:kv\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_fortinet_ngfw.py b/tests/test_fortinet_ngfw.py
index 725934f..cca8479 100644
--- a/tests/test_fortinet_ngfw.py
+++ b/tests/test_fortinet_ngfw.py
@@ -4,73 +4,39 @@
 # license that can be found in the LICENSE-BSD2 file or at
 # https://opensource.org/licenses/BSD-2-Clause
 import random
-import datetime
 
 from jinja2 import Environment
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
 # env = Environment(extensions=['jinja2_time.TimeExtension'])
 env = Environment()
 
-# Helper functions
-# Insert a character at given location in string (e.g space between ms and TZ offset 2020-02-12 12:46:39.323 -08:00)
-def insert_char(string, char, integer):
-    return string[0:integer] + char + string[integer:]
-
-# Function to remove leading zero from TZ offsets less than 10 hours
-def removeZero(tz):
-    return re.sub(r'\b0+(\d)(?=:)', r'\1', tz)
-
-def time_operations(dt):
-    # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00)
-    # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python
-    iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds')
-    # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00)
-    bsd = dt.strftime("%b %d %H:%M:%S")
-
-    # Other variants of timestamps needed for this log sample
-    time = dt.strftime("%H:%M:%S")
-    date = dt.strftime("%Y-%m-%d")
-    # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")'
-    # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)'
-    tzoffset = dt.astimezone().strftime("%z")
-
-    # Derive epoch timestamp for use in search string
-    # NOTE:  There are caveats with 'strftime("%s")', see references below
-
-    # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime
-    # See https://docs.python.org/3/library/datetime.html#datetime-objects
-    # Basically: Don't use 'utcnow()'
-
-    # Strict way to get epoch as a string (rather than float) avoiding naive objects
-    # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s')
-
-    # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK
-    # Trim last 3 or 7 characters of microsecond resolution to obtain milliseconds or whole seconds, respectively
-    epoch = dt.astimezone().strftime("%s.%f")[:-7]
-
-    return iso, bsd, time, date, tzoffset, epoch
-
 # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1
 def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortigate
+    time = time[:-7]
+    tzoffset = insert_char(tzoffset, ":", 3)
+    epoch = epoch[:-7]
 
     mt = env.from_string(
 #       "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice tz=\"{{ tzoffset }}\" vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory:  35, concurrent sessions:  61, setup-rate: 2\"\n")
         "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory:  35, concurrent sessions:  61, setup-rate: 2\"\n")
-    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, tzoffset=tzoffset, host=host)
+    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
        "search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"fgt_event\"")
-    search = st.render(host=host, epoch=epoch)
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -86,11 +52,16 @@ def test_fortinet_fgt_traffic(record_property, setup_wordlist, setup_splunk, set
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortigate
+    time = time[:-7]
+    tzoffset = insert_char(tzoffset, ":", 3)
+    epoch = epoch[:-7]
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=snat transip=:: transport=0 service=\"icmp6/131/0\" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app=\"IPv6.ICMP\" appcat=\"Network.Service\" apprisk=elevated applist=\"sniffer-profile\" appact=detected utmaction=allow countapp=1\n")
-    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host)
+    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
@@ -111,11 +82,16 @@ def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_s
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortigate
+    time = time[:-7]
+    tzoffset = insert_char(tzoffset, ":", 3)
+    epoch = epoch[:-7]
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user=\"\" srcip=172.30.16.119 srcport=53235 srcintf=\"Internal\" dstip=114.112.67.75 dstport=80 dstintf=\"External-SDC\" proto=6 service=HTTP hostname=\"popo.wan.ijinshan.com\" profile=\"scan\" action=passthrough reqtype=direct url=\"/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl\" sentbyte=525 rcvdbyte=325 direction=outgoing msg=\"URL belongs to an allowed category in policy\" method=domain cat=52 catdesc=\"Information Technology\"\n")
-    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host)
+    message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
diff --git a/tests/test_fortinet_web.py b/tests/test_fortinet_web.py
index cc59a5d..9338567 100644
--- a/tests/test_fortinet_web.py
+++ b/tests/test_fortinet_web.py
@@ -4,74 +4,31 @@
 # license that can be found in the LICENSE-BSD2 file or at
 # https://opensource.org/licenses/BSD-2-Clause
 import random
-import datetime
-import re
-
 
 from jinja2 import Environment
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
 env = Environment()
 
-# Function to insert a colon between the time and TZ offset (from -0800 to -08:00)
-
-
-def insert_colon(string, integer):
-    return string[0:integer] + ':' + string[integer:]
-
-# Function to remove leading zero from TZ offsets less than 10 hours
-
-
-def removeZero(tz):
-    return re.sub(r'\b0+(\d)(?=:)', r'\1', tz)
-
-
-def time_operations(dt):
-    # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00)
-    # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python
-    iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds')
-    # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00)
-    bsd = dt.strftime("%b %d %H:%M:%S")
-
-    # Other variants of timestamps needed for this log sample
-    time = dt.strftime("%H:%M:%S")
-    date = dt.strftime("%Y-%m-%d")
-    # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")'
-    # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)'
-    tzoffset = removeZero(insert_colon((dt.astimezone().strftime("%z")), 3))
-
-    # Derive epoch timestamp for use in search string
-    # NOTE:  There are caveats with 'strftime("%s")', see references below
-
-    # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime
-    # See https://docs.python.org/3/library/datetime.html#datetime-objects
-    # Basically: Don't use 'utcnow()'
-
-    # Strict way to get epoch as a string (rather than float) avoiding naive objects
-    # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s')
-
-    # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK
-    # Trim last 3 or 7 characters of microsecond resolution to obtain milliseconds or whole seconds, respectively
-    epoch = dt.astimezone().strftime("%s.%f")[:-7]
-
-    return iso, bsd, time, date, tzoffset, epoch
-
 # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)"
-
-
 def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortiweb
+    time = time[:-7]
+    tzoffset = removeZero(insert_char(tzoffset, ":", 3))
+    epoch = epoch[:-7]
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=event subtype=\"system\" pri=information trigger_policy=\"\" user=admin ui=GUI action=login status=success msg=\"User admin login successfully from GUI(172.20.120.47)\"")
-    message = mt.render(mark="<111>", bsd=bsd, host=host,
-                        time=time, date=date, tzoffset=tzoffset)
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
@@ -88,19 +45,21 @@ def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup
     assert resultCount == 1
 
 # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"
-
-
 def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortiweb
+    time = time[:-7]
+    tzoffset = removeZero(insert_char(tzoffset, ":", 3))
+    epoch = epoch[:-7]
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=traffic subtype=\"http\" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url=\"/\" http_host=\"10.0.8.22\" http_agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; \" http_retcode=200 msg=\"HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80\" srccountry=\"Reserved\" content_switch_name=\"testa\" server_pool_name=\"Auto-ServerFarm\"")
-    message = mt.render(mark="<111>", bsd=bsd, host=host,
-                        time=time, date=date, tzoffset=tzoffset)
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
@@ -117,19 +76,21 @@ def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, set
     assert resultCount == 1
 
 # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"
-
-
 def test_fortinet_fwb_attack(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist),
                           random.choice(setup_wordlist))
 
     dt = datetime.datetime.now()
-    iso, bsd, time, date, tzoffset, epoch = time_operations(dt)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions for Fortiweb
+    time = time[:-7]
+    tzoffset = removeZero(insert_char(tzoffset, ":", 3))
+    epoch = epoch[:-7]
 
     mt = env.from_string(
         "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=attack subtype=\"waf_signature_detection\" pri=alert trigger_policy=\"\" severity_level=Medium proto=tcp service=http action=Alert policy=\"123\" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url=\"/preview.php?file==../\" http_host=\"10.0.9.123\" http_agent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg=\"[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002\" signature_subclass=\"Directory Traversal\" signature_id=\"060150002\" srccountry=\"Reserved\" content_switch_name=\"none\" server_pool_name=\"123\" false_positive_mitigation=\"none\" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message=\"[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]\" entry_sequence=\"000139289630\"")
-    message = mt.render(mark="<111>", bsd=bsd, host=host,
-                        time=time, date=date, tzoffset=tzoffset)
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
diff --git a/tests/test_imperva.py b/tests/test_imperva.py
index a827dfe..a3654f3 100644
--- a/tests/test_imperva.py
+++ b/tests/test_imperva.py
@@ -9,20 +9,27 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 def test_imperva_incapsula(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=13.13.13.13 ccode=IL tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc=Browser cs6=Firefox cs6Label=clapp ccode=IL cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 cpt=443 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=13.13.13.13 ccode=IL tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc=Browser cs6=Firefox cs6Label=clapp ccode=IL cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 cpt=443 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netwaf host=\"{{ host }}\" sourcetype=\"cef\" source=\"Imperva:Incapsula\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netwaf host=\"{{ host }}\" sourcetype=\"cef\" source=\"Imperva:Incapsula\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_infoblox.py b/tests/test_infoblox.py
index ebcf366..0c622a1 100644
--- a/tests/test_infoblox.py
+++ b/tests/test_infoblox.py
@@ -11,22 +11,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
-import random
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<142>Oct 25 13:08:00 161.231.218.156 named[6597]: FORMERR resolving 'www.google.com/AAAA/IN': 209.2.230.6#53
 def test_infoblox_dns(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "vib-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} named[{{ pid }}]: FORMERR resolving 'www.google.com/AAAA/IN': 209.2.230.6#53\n")
-    message = mt.render(mark="<111>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} named[{{ pid }}]: FORMERR resolving 'www.google.com/AAAA/IN': 209.2.230.6#53\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netdns host={{ host }} sourcetype=\"infoblox:dns\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=netdns host={{ host }} sourcetype=\"infoblox:dns\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -41,13 +47,19 @@ def test_infoblox_dhcp(record_property, setup_wordlist, setup_splunk, setup_sc4s
     host = "vib-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} dhcpd[{{ pri }}]: DHCPREQUEST for 10.00.00.62 from 80:00:00:00:0e:70 (EXAMPLE) via eth2 TransID 802c562c uid 01:80:00:00:00:00:70 (RENEW)\n")
-    message = mt.render(mark="<150>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} dhcpd[{{ pid }}]: DHCPREQUEST for 10.00.00.62 from 80:00:00:00:0e:70 (EXAMPLE) via eth2 TransID 802c562c uid 01:80:00:00:00:00:70 (RENEW)\n")
+    message = mt.render(mark="<150>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netipam host={{ host }} sourcetype=\"infoblox:dhcp\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=netipam host={{ host }} sourcetype=\"infoblox:dhcp\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py
index 8288954..686fb91 100644
--- a/tests/test_juniper_junos_rfc3164.py
+++ b/tests/test_juniper_junos_rfc3164.py
@@ -8,20 +8,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 # <23> Mar 18 17:56:52 RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 192.168.32.1(62054)->1.1.1.1(443) CATEGORY="Enhanced_Information_Technology" REASON="BY_PRE_DEFINED" PROFILE="UTM-Wireless-Profile" URL=ent-shasta-rrs.symantec.com OBJ=/ username N/A roles N/A
 def test_juniper_utm_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION=\"URL Permitted\" 192.168.32.1(62054)->1.1.1.1(443) CATEGORY=\"Enhanced_Information_Technology\" REASON=\"BY_PRE_DEFINED\" PROFILE=\"UTM-Wireless-Profile\" URL=ent-shasta-rrs.symantec.com OBJ=/ username N/A roles N/A")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION=\"URL Permitted\" 192.168.32.1(62054)->1.1.1.1(443) CATEGORY=\"Enhanced_Information_Technology\" REASON=\"BY_PRE_DEFINED\" PROFILE=\"UTM-Wireless-Profile\" URL=ent-shasta-rrs.symantec.com OBJ=/ username N/A roles N/A")
+    message = mt.render(mark="<23>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -35,14 +43,20 @@ def test_juniper_utm_standard(record_property, setup_wordlist, get_host_key, set
 def test_juniper_firewall_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.102/58662->8.8.8.8/53 junos-dns-udp 68.144.1.1/55893->8.8.8.8/53 TRUST-INET-ACCESS None 17 OUTBOUND-INTERNET-ACCESS TRUST INTERNET 6316 N/A(N/A) vlan.192")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.102/58662->8.8.8.8/53 junos-dns-udp 68.144.1.1/55893->8.8.8.8/53 TRUST-INET-ACCESS None 17 OUTBOUND-INTERNET-ACCESS TRUST INTERNET 6316 N/A(N/A) vlan.192")
+    message = mt.render(mark="<23>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -55,14 +69,20 @@ def test_juniper_firewall_standard(record_property, setup_wordlist, get_host_key
 def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -")
+    message = mt.render(mark="<23>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
index 5e4565f..458536c 100644
--- a/tests/test_juniper_junos_rfc5124.py
+++ b/tests/test_juniper_junos_rfc5124.py
@@ -8,22 +8,30 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 # <165>1 2007-02-15T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username="user"] User 'user' exiting configuration mode
 # @pytest.mark.xfail
 def test_juniper_junos_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username=\"user\"] User 'user' exiting configuration mode\n")
-    message = mt.render(mark="<165>1", host=host)
+        "{{ mark }} {{ iso }}Z {{ host }} mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username=\"user\"] User 'user' exiting configuration mode\n")
+    message = mt.render(mark="<165>1", iso=iso, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops host=\"{{ host }}\" sourcetype=\"juniper:structured\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"juniper:structured\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -38,14 +46,21 @@ def test_juniper_junos_structured(record_property, setup_wordlist, get_host_key,
 def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.xx.xx\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.xx.xx.xx\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.XXX\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.xxx\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]")
-    message = mt.render(mark="<165>1", host=host)
+        "{{ mark }} {{ iso }}Z {{ host }} RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.xx.xx\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.xx.xx.xx\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.XXX\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.xxx\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]")
+    message = mt.render(mark="<165>1", iso=iso, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -60,14 +75,21 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_
 def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.26 logical-system-name=\"test-lsys\" source-address=\"10.10.10.100\" source-port=\"4206\" destination-address=\"10.20.20.15\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"10.10.10.100\" nat-source-port=\"4206\" nat-destination-address=\"10.20.20.15\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"123\" source-zone-name=\"TEST1\" destination-zone-name=\"TEST2\" session-id-32=\"14285714\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth1.100\"]")
-    message = mt.render(mark="<23>1", host=host)
+        "{{ mark }} {{ iso }}Z {{ host }} RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.26 logical-system-name=\"test-lsys\" source-address=\"10.10.10.100\" source-port=\"4206\" destination-address=\"10.20.20.15\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"10.10.10.100\" nat-source-port=\"4206\" nat-destination-address=\"10.20.20.15\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"123\" source-zone-name=\"TEST1\" destination-zone-name=\"TEST2\" session-id-32=\"14285714\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth1.100\"]")
+    message = mt.render(mark="<23>1", iso=iso, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall:structured\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall:structured\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_juniper_legacy.py b/tests/test_juniper_legacy.py
index 4367883..3d19206 100644
--- a/tests/test_juniper_legacy.py
+++ b/tests/test_juniper_legacy.py
@@ -8,22 +8,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
-
+env = Environment()
 
 # <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos
 def test_juniper_nsm_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} jnpnsm-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }} {{ bsd }} jnpnsm-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"jnpnsm-{{ host }}\" sourcetype=\"juniper:nsm\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"jnpnsm-{{ host }}\" sourcetype=\"juniper:nsm\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -38,14 +44,20 @@ def test_juniper_nsm_standard(record_property, setup_wordlist, get_host_key, set
 def test_juniper_nsm_idp_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} jnpnsmidp-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [IDP NAME], [IDP IP], predefined, rule, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [IDP NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }} {{ bsd }} jnpnsmidp-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [IDP NAME], [IDP IP], predefined, rule, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [IDP NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"jnpnsmidp-{{ host }}\" sourcetype=\"juniper:nsm:idp\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"jnpnsmidp-{{ host }}\" sourcetype=\"juniper:nsm:idp\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -60,14 +72,20 @@ def test_juniper_nsm_idp_standard(record_property, setup_wordlist, get_host_key,
 def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} jnpns-{{ host }} ns204: NetScreen device_id=netscreen2  [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1\n")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} jnpns-{{ host }} ns204: NetScreen device_id=netscreen2  [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1\n")
+    message = mt.render(mark="<23>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"jnpns-{{ host }}\" sourcetype=\"netscreen:firewall\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"jnpns-{{ host }}\" sourcetype=\"netscreen:firewall\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -85,14 +103,21 @@ def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, set
 def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface  eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]")
-    message = mt.render(mark="<165>1", host=host)
+        "{{ mark }} {{ iso }}Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface  eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]")
+    message = mt.render(mark="<165>1", iso=iso, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -107,14 +132,20 @@ def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, s
 def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} ns204: NetScreen device_id=netscreen2  [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 singleport=5000\n")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} ns204: NetScreen device_id=netscreen2  [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 singleport=5000\n")
+    message = mt.render(mark="<23>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][5000])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"netscreen:firewall\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"netscreen:firewall\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_juniper_sslvpn.py b/tests/test_juniper_sslvpn.py
index c4a6512..df1b55a 100644
--- a/tests/test_juniper_sslvpn.py
+++ b/tests/test_juniper_sslvpn.py
@@ -8,22 +8,30 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 # <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan.
 # <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.
 def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = time[:-7]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} Juniper: {% now 'local', '%Y-%m-%d %H:%M:%S' %} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.")
-    message = mt.render(mark="<23>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} Juniper: {{ date }} {{ time }} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.")
+    message = mt.render(mark="<23>", bsd=bsd, host=host, date=date, time=time)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_linux_syslog.py b/tests/test_linux_syslog.py
index 9e98dc2..3801d8f 100644
--- a/tests/test_linux_syslog.py
+++ b/tests/test_linux_syslog.py
@@ -11,22 +11,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
-import random
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<78>Oct 25 09:10:00 /usr/sbin/cron[54928]: (root) CMD (/usr/libexec/atrun)
 def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
-    message = mt.render(mark="<111>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
+    message = mt.render(mark="<111>", host=host, bsd=bsd, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\"")
+    search = st.render(epoch=epoch, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -40,13 +46,19 @@ def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splu
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
-    message = mt.render(mark="<111>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\"")
+    search = st.render(epoch=epoch, pid=pid, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -60,13 +72,19 @@ def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_s
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
-    message = mt.render(mark="<111>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\"")
+    search = st.render(epoch=epoch, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -80,13 +98,19 @@ def test_linux__host_program_conforms(record_property, setup_wordlist, setup_spl
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
-    message = mt.render(mark="<111>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\"")
+    search = st.render(epoch=epoch, pid=pid, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_microfocus_arcsight.py b/tests/test_microfocus_arcsight.py
index 1126de5..29c049e 100644
--- a/tests/test_microfocus_arcsight.py
+++ b/tests/test_microfocus_arcsight.py
@@ -9,8 +9,9 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 # Mar 19 15:19:15 syslog1 CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:050|Connector Raw Event Statistics|Low| eventId=77 mrt=1539321422787 categorySignificance=/Informational categoryBehavior=/Execute/Response categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321424798 cat=/Agent/RawEvent/Statistics deviceSeverity=Warning rt=1539321422787 fileType=Agent cs1=0.23 cs2=157.72333333333333 cs3=0.23 cs4=47317 cs5=157.72333333333333 cs6=3o0OiZmYBABCACGN9CiyuGQ\=\= cn1=69 cn2=47317 cn3=69 deviceCustomDate1=1539321122775 cs1Label=Event throughput cs2Label=Raw event character throughput cs3Label=Event throughput (SLC) cs4Label=Raw event length (SLC) cs5Label=Raw event character throughput (SLC) cs6Label=Destination ID cn1Label=Total event count cn2Label=Total raw event length cn3Label=Event count (SLC) deviceCustomDate1Label=Last time ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=
 # Mar 19 15:19:15 syslog1 CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=30 msg=Connected to Host mrt=1539321123071 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321124967 cat=/Agent/Connection/Device?Success deviceSeverity=Warning rt=1539321123071 dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\="3MQ1+L2YBABCAApZ7fvr37A\=\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=
@@ -19,14 +20,20 @@
 def test_microfocus_arcsight_ts_rt(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning rt=' + "{% now 'local', '%s' %}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning rt=' + "{{ epoch }}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -39,14 +46,20 @@ def test_microfocus_arcsight_ts_rt(record_property, setup_wordlist, setup_splunk
 def test_microfocus_arcsight_ts_end(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning end=' + "{% now 'local', '%s' %}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning end=' + "{{ epoch }}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight| head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight| head 2")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -59,14 +72,20 @@ def test_microfocus_arcsight_ts_end(record_property, setup_wordlist, setup_splun
 def test_microfocus_arcsight_ts_syslog(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|ArcSight|ArcSight|7.9.0.8084.0|agent:016|Device connection up|Low| eventId=77 msg=Connected to Host mrt=1539321047341 categorySignificance=/Normal categoryBehavior=/Access/Start categoryDeviceGroup=/Application catdt=Security Management categoryOutcome=/Success categoryObject=/Host/Application art=1539321049259 cat=/Agent/Connection/Device?Success deviceSeverity=Warning dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 fileType=Agent cs2=<Resource ID\\="3MQ1+L2YBABCAApZ7fvr37A\\=\\="/> cs2Label=Configuration Resource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=win-pan1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dvcmac=00-0C-29-98-8D-D7 dtz=Asia/Riyadh _cefVer=0.1 aid=3o0OiZmYBABCACGN9CiyuGQ\\=\\=' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cef\" source=ArcSight:ArcSight")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -79,14 +98,20 @@ def test_microfocus_arcsight_ts_syslog(record_property, setup_wordlist, setup_sp
 def test_microfocus_arcsight_windows(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4634|An account was logged off.|Low| eventId=1 externalId=4634 msg=Network: A user or computer logged on to this computer from the network. rawEvent=EventlogType\=Security&&EventIndex\=1031&&WindowsVersion\=Windows Server 2012 R2&&WindowsKeyMapFamily\=Windows 2012 R2&&WindowsParserFamily\=Windows 2012 R2|2012|8&&DetectTime\=2018-10-12 7:25:11&&EventSource\=Microsoft-Windows-Security-Auditing&&EventID\=4634&&EventType\=Audit_success&&EventCategory\=12545&&User\=null&&ComputerName\=WIN-PAN1&&Description\=An account was logged off.&&Message\=This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.&&Subject:Security ID\=S-1-5-21-750061412-3179291162-3140434184-500&&Subject:Account Name\=Administrator&&Subject:Account Domain\=WIN-PAN1&&Subject:Logon ID\=0x373c2&&Logon Type\=3 categorySignificance=/Informational categoryBehavior=/Access/Stop categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Operating System art=1539321047369 cat=Security deviceSeverity=Audit_success rt=' + "{% now 'local', '%s' %}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dntdom=WIN-PAN1 duser=Administrator duid=0x373c2 cs2=Logon/Logoff:Logoff cn1=3 cs1Label=Accesses cs2Label=EventlogCategory cs4Label=Reason or Error Code cs5Label=Authentication Package Name cn1Label=LogonType cn2Label=CrashOnAuditFail cn3Label=Count ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=WIN-PAN1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceNtDomain=WIN-PAN1 dtz=Asia/Riyadh _cefVer=0.1 ad.WindowsVersion=Windows Server 2012 R2 ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.EventIndex=1031 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4634|An account was logged off.|Low| eventId=1 externalId=4634 msg=Network: A user or computer logged on to this computer from the network. rawEvent=EventlogType\=Security&&EventIndex\=1031&&WindowsVersion\=Windows Server 2012 R2&&WindowsKeyMapFamily\=Windows 2012 R2&&WindowsParserFamily\=Windows 2012 R2|2012|8&&DetectTime\=2018-10-12 7:25:11&&EventSource\=Microsoft-Windows-Security-Auditing&&EventID\=4634&&EventType\=Audit_success&&EventCategory\=12545&&User\=null&&ComputerName\=WIN-PAN1&&Description\=An account was logged off.&&Message\=This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.&&Subject:Security ID\=S-1-5-21-750061412-3179291162-3140434184-500&&Subject:Account Name\=Administrator&&Subject:Account Domain\=WIN-PAN1&&Subject:Logon ID\=0x373c2&&Logon Type\=3 categorySignificance=/Informational categoryBehavior=/Access/Stop categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Operating System art=1539321047369 cat=Security deviceSeverity=Audit_success rt=' + "{{ epoch }}" + ' dhost=WIN-PAN1 dst=192.168.13.152 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dntdom=WIN-PAN1 duser=Administrator duid=0x373c2 cs2=Logon/Logoff:Logoff cn1=3 cs1Label=Accesses cs2Label=EventlogCategory cs4Label=Reason or Error Code cs5Label=Authentication Package Name cn1Label=LogonType cn2Label=CrashOnAuditFail cn3Label=Count ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=WIN-PAN1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceNtDomain=WIN-PAN1 dtz=Asia/Riyadh _cefVer=0.1 ad.WindowsVersion=Windows Server 2012 R2 ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.EventIndex=1031 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=oswinsec host=\"{{ host }}\" sourcetype=\"cef\" source=\"CEFEventLog:Microsoft Windows\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=oswinsec host=\"{{ host }}\" sourcetype=\"cef\" source=\"CEFEventLog:Microsoft Windows\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -99,14 +124,20 @@ def test_microfocus_arcsight_windows(record_property, setup_wordlist, setup_splu
 def test_microfocus_arcsight_windows_system(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%b %d %H:%M:%S' %} {{ host }} " + 'CEF:0|Microsoft|System or Application Event||Software Protection Platform Service:902|Software Protection Platform Service|Unknown| eventId=39 externalId=902 rawEvent=EventlogType\=Application&&EventIndex\=1604&&WindowsVersion\=Windows Server 2012 R2&&WindowsKeyMapFamily\=Windows 2012 R2&&WindowsParserFamily\=Windows 2012 R2|2012|8&&DetectTime\=2018-10-12 8:12:31&&EventSource\=Software Protection Platform Service&&EventID\=902&&EventType\=null&&EventCategory\=0&&User\=null&&ComputerName\=WIN-PAN1&&Key[0]\=6.3.9600.16384 art=1539321151610 cat=Application rt=' + "{% now 'local', '%s' %}" + ' cs2=0 cs3=Software Protection Platform Service cs2Label=EventlogCategory cs3Label=EventSource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=WIN-PAN1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dtz=Asia/Riyadh _cefVer=0.1 ad.WindowsVersion=Windows Server 2012 R2 ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.Key[0]=6.3.9600.16384 ad.EventIndex=1604 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=' + "\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ bsd }} {{ host }} " + 'CEF:0|Microsoft|System or Application Event||Software Protection Platform Service:902|Software Protection Platform Service|Unknown| eventId=39 externalId=902 rawEvent=EventlogType\=Application&&EventIndex\=1604&&WindowsVersion\=Windows Server 2012 R2&&WindowsKeyMapFamily\=Windows 2012 R2&&WindowsParserFamily\=Windows 2012 R2|2012|8&&DetectTime\=2018-10-12 8:12:31&&EventSource\=Software Protection Platform Service&&EventID\=902&&EventType\=null&&EventCategory\=0&&User\=null&&ComputerName\=WIN-PAN1&&Key[0]\=6.3.9600.16384 art=1539321151610 cat=Application rt=' + "{{ epoch }}" + ' cs2=0 cs3=Software Protection Platform Service cs2Label=EventlogCategory cs3Label=EventSource ahost=win-pan1 agt=192.168.13.152 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 amac=00-0C-29-98-8D-D7 av=7.9.0.8084.0 atz=Asia/Riyadh at=windowsfg dvchost=WIN-PAN1 dvc=192.168.13.152 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dtz=Asia/Riyadh _cefVer=0.1 ad.WindowsVersion=Windows Server 2012 R2 ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.Key[0]=6.3.9600.16384 ad.EventIndex=1604 aid=3o0OiZmYBABCACGN9CiyuGQ\=\=' + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=oswin host=\"{{ host }}\" sourcetype=\"cef\" source=\"CEFEventLog:System or Application Event\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=oswin host=\"{{ host }}\" sourcetype=\"cef\" source=\"CEFEventLog:System or Application Event\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_palo_alto.py b/tests/test_palo_alto.py
index b24e4ef..419e1b9 100644
--- a/tests/test_palo_alto.py
+++ b/tests/test_palo_alto.py
@@ -10,21 +10,29 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #<190>Jan 28 01:28:35 PA-VM300-goran1 1,2014/01/28 01:28:35,007200001056,TRAFFIC,end,1,2014/01/28 01:28:34,192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0
 def test_palo_alto_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%Y/%m/%d %H:%M:%S")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},007200C01056,TRAFFIC,end,1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} 1,{{ time }},007200C01056,TRAFFIC,end,1,{{ time }},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -39,14 +47,21 @@ def test_palo_alto_traffic(record_property, setup_wordlist, setup_splunk, setup_
 def test_palo_alto_threat(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%Y/%m/%d %H:%M:%S")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},01606001116,THREAT,url,1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} 1,{{ time }},01606001116,THREAT,url,1,{{ time }},192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy host=\"{{ host }}\" sourcetype=\"pan:threat\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"pan:threat\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -59,14 +74,21 @@ def test_palo_alto_threat(record_property, setup_wordlist, setup_splunk, setup_s
 def test_palo_alto_traffic_badietf(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%Y/%m/%d %H:%M:%S")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}1 {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},007200001056,TRAFFIC,end,1,{% now 'local', '%Y/%m/%d %H:%M:%S' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }}1 {{ bsd }} {{ host }} 1,{{ time }},007200001056,TRAFFIC,end,1,{{ time }},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -81,14 +103,22 @@ def test_palo_alto_traffic_badietf(record_property, setup_wordlist, setup_splunk
 def test_palo_alto_traffic_mstime(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = dt.strftime("%Y/%m/%d %H:%M:%S.%f")[:-3]
+    tzoffset = tzoffset[0:3] + ":" + tzoffset[3:]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} 1,{% now 'local', '%Y/%m/%d %H:%M:%S.%f' %},007200001056,TRAFFIC,end,1,{% now 'local', '%Y/%m/%d %H:%M:%S.%f' %},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,{% now 'local', '%Y/%m/%d %H:%M:%S.%f' %},2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
-    message = mt.render(mark="<111>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} 1,{{ time }},007200001056,TRAFFIC,end,1,{{ time }},192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,{% now 'local', '%Y/%m/%d %H:%M:%S.%f' %},2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host, time=time)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"pan:traffic\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_pfsense.py b/tests/test_pfsense.py
index 8b33bc4..dd5eb35 100644
--- a/tests/test_pfsense.py
+++ b/tests/test_pfsense.py
@@ -9,19 +9,27 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 #<27>Jan 25 01:58:06 filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,fe80::208:a2ff:fe0f:cb66,fe80::56a6:5cff:fe7d:1d43,
 def test_pfsense_filterlog(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,{{key}},\n")
-    message = mt.render(mark="<27>", key=host)
+        "{{mark}}{{ bsd }} filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,{{key}},\n")
+    message = mt.render(mark="<27>", bsd=bsd, key=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][5006])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw sourcetype=pfsense:filterlog \"{{key}}\" earliest=-2m | head 2")
-    search = st.render(key=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw sourcetype=pfsense:filterlog \"{{key}}\"")
+    search = st.render(epoch=epoch, key=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -35,13 +43,20 @@ def test_pfsense_filterlog(record_property, setup_wordlist, setup_splunk, setup_
 def test_pfsense_other(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} kqueue error: {{key}}\n")
-    message = mt.render(mark="<27>", key=host)
+        "{{mark}}{{ bsd }} kqueue error: {{key}}\n")
+    message = mt.render(mark="<27>", bsd=bsd, key=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][5006])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=pfsense:* \"{{key}}\" earliest=-2m | head 2")
-    search = st.render(key=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=pfsense:* \"{{key}}\"")
+    search = st.render(epoch=epoch, key=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -55,13 +70,19 @@ def test_pfsense_other(record_property, setup_wordlist, setup_splunk, setup_sc4s
 def test_pfsense_syslogd(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} syslogd: restart {{key}}\n")
-    message = mt.render(mark="<27>", key=host)
+        "{{mark}}{{ bsd }} syslogd: restart {{key}}\n")
+    message = mt.render(mark="<27>", bsd=bsd, key=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][5006])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=pfsense:syslogd \"{{key}}\" earliest=-2m | head 2")
-    search = st.render(key=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=pfsense:syslogd \"{{key}}\"")
+    search = st.render(epoch=epoch, key=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_plugin_example.py b/tests/test_plugin_example.py
index 5c21e35..2ff045b 100644
--- a/tests/test_plugin_example.py
+++ b/tests/test_plugin_example.py
@@ -9,19 +9,26 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 def test_plugin_local_example(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} sc4splugin[0]: test\n")
-    message = mt.render(mark="<111>", host=host)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} sc4splugin[0]: test\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host=\"{{ host }}\" sourcetype=\"sc4s:local_example\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"sc4s:local_example\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_proofpoint.py b/tests/test_proofpoint.py
index f16e45d..b78e112 100644
--- a/tests/test_proofpoint.py
+++ b/tests/test_proofpoint.py
@@ -8,22 +8,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
-
+env = Environment()
 
 # Apr 17 18:33:26 aplegw01 filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com
 def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com\n")
-    message = mt.render(mark="<166>", host=host)
+        "{{ mark }} {{ bsd }} {{ host }} filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com\n")
+    message = mt.render(mark="<166>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=email host=\"{{ host }}\" sourcetype=\"pps_filter_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"pps_filter_log\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -37,14 +43,20 @@ def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, se
 def test_proofpoint_pps_mail(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
     host = get_host_key
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} pps-{{ host }} sendmail[195529]: w3HMZPVT056101: to=<rfaircloth@splunk.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok:  Message 22675962 accepted)\n")
-    message = mt.render(mark="<166>", host=host)
+        "{{ mark }} {{ bsd }} pps-{{ host }} sendmail[195529]: w3HMZPVT056101: to=<rfaircloth@splunk.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok:  Message 22675962 accepted)\n")
+    message = mt.render(mark="<166>", bsd=bsd, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=email host=\"pps-{{ host }}\" sourcetype=\"pps_mail_log\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=email host=\"pps-{{ host }}\" sourcetype=\"pps_mail_log\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_symantec_brightmail.py b/tests/test_symantec_brightmail.py
index 130ad78..cfd4d2d 100644
--- a/tests/test_symantec_brightmail.py
+++ b/tests/test_symantec_brightmail.py
@@ -10,19 +10,27 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 # <141>Oct 24 21:05:43 smg-1 conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.
 def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }}{{ bsd }} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=email host=\"{{ host }}\" sourcetype=\"symantec:smg\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"symantec:smg\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -36,29 +44,35 @@ def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk,
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     msgid = uuid.uuid4()
 
-    mt = env.from_string("""{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|VERDICT|someone@example.com|none|default|default\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|FIRED|someone@example.com|none\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|UNTESTED|someone@example.com|safe|opl|content_1574820902092|content_1574820956288|content_1574821059194|content_1574821017042|sys_deny_ip|sys_allow_ip|sys_deny_email|dns_allow|dns_deny|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|blockedlang|knownlang\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|LOGICAL_IP|200.200.200.154\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|google-play_111-33.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|mac_appstore_136_33.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|product-logo.update.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|header-research.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|ms-logo-138.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|ATTACH|ms-logo-138.png|header-research.png|product-logo.update.png|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg|mac_appstore_136_33.png|google-play_111-33.png\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|EHLO|mail6.bemta23.messagelabs.com\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|MSG_SIZE|94239\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|MSGID| <7jszytr60wmja@example.com>\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|SUBJECT|pulse: this is a subject\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195988|{{ MSGID }}|SOURCE|external\n
-{{ mark }}{% now 'local', '%b %d %H:%M:%S' %} {{host}} bmserver: 1576195987|{{ MSGID }}|VERDICT|<none>|connection_class_1|default|static connection class 1\n""")
-    message = mt.render(mark="<1>", host=host, MSGID=msgid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("""{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|VERDICT|someone@example.com|none|default|default\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|FIRED|someone@example.com|none\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|UNTESTED|someone@example.com|safe|opl|content_1574820902092|content_1574820956288|content_1574821059194|content_1574821017042|sys_deny_ip|sys_allow_ip|sys_deny_email|dns_allow|dns_deny|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|blockedlang|knownlang\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|LOGICAL_IP|200.200.200.154\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|google-play_111-33.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|mac_appstore_136_33.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|product-logo.update.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|header-research.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|ATTACHFILTER|ms-logo-138.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|ATTACH|ms-logo-138.png|header-research.png|product-logo.update.png|b340ec99-9c66-4a19-a2f4-ee467e0d63e1.jpg|6f0c8ad8-e0da-4bcc-aac9-8fa71ba43bb6.jpg|mac_appstore_136_33.png|google-play_111-33.png\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|EHLO|mail6.bemta23.messagelabs.com\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|MSG_SIZE|94239\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|MSGID| <7jszytr60wmja@example.com>\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|SUBJECT|pulse: this is a subject\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|SOURCE|external\n
+{{ mark }}{{ bsd }} {{host}} bmserver: 1576195987|{{ MSGID }}|VERDICT|<none>|connection_class_1|default|static connection class 1\n""")
+    message = mt.render(mark="<1>", bsd=bsd, host=host, MSGID=msgid)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=email host=\"{{ host }}\" sourcetype=\"symantec:smg:mail\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"symantec:smg:mail\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_symantec_proxy.py b/tests/test_symantec_proxy.py
index 4f965ca..ad90bbb 100644
--- a/tests/test_symantec_proxy.py
+++ b/tests/test_symantec_proxy.py
@@ -9,19 +9,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 # <134>1 2019-08-21T17:42:08.000z "sample_logs bluecoat[0]:SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories="unavailable" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent="ocspd/1.0.3" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name="Explicit HTTP" service.group="Standard" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name="10.0.0.6-sample_logs" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url="http://randomserver:8000/en-US/app/examples/"
 def test_bluecoatproxySG_kv(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
     mt = env.from_string(
-        "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%SZ' %} {{host}} bluecoat[0]: SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories=\"unavailable\" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent=\"ocspd/1.0.3\" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name=\"Explicit HTTP\" service.group=\"Standard\" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name=\"10.0.0.6-sample_logs\" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url=\"http://randomserver:8000/en-US/app/examples/\"")
-    message = mt.render(mark="<134>", host=host)
+        "{{ mark }} {{ iso }}Z {{host}} bluecoat[0]: SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories=\"unavailable\" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent=\"ocspd/1.0.3\" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name=\"Explicit HTTP\" service.group=\"Standard\" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name=\"10.0.0.6-sample_logs\" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url=\"http://randomserver:8000/en-US/app/examples/\"")
+    message = mt.render(mark="<134>", iso=iso, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy host=\"{{ host }}\" sourcetype=\"bluecoat:proxysg:access:kv\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"bluecoat:proxysg:access:kv\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_ubiquiti_unifi.py b/tests/test_ubiquiti_unifi.py
index 2b79eb7..82c3f25 100644
--- a/tests/test_ubiquiti_unifi.py
+++ b/tests/test_ubiquiti_unifi.py
@@ -9,20 +9,28 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 #<27>Nov  8 17:28:43 US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type
 
 def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type {{key}}")
-    message = mt.render(mark="<27>", key=host)
+        "{{mark}}{{ bsd }} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type {{key}}")
+    message = mt.render(mark="<27>", bsd=bsd, key=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=ubnt:switch \"{{key}}\" earliest=-2m | head 2")
-    search = st.render(key=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:switch \"{{key}}\"")
+    search = st.render(epoch=epoch)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -36,13 +44,19 @@ def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk, se
 def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: {{key}}")
-    message = mt.render(mark="<27>", key=host)
+        "{{mark}}{{ bsd }} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: {{key}}")
+    message = mt.render(mark="<27>", bsd=bsd, key=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=ubnt:switch \"{{key}}\" earliest=-2m | head 2")
-    search = st.render(key=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:switch \"{{key}}\"")
+    search = st.render(epoch=epoch, key=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -56,13 +70,19 @@ def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_s
 def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514")
-    message = mt.render(mark="<27>", host=host)
+        "{{mark}}{{ bsd }} U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514")
+    message = mt.render(mark="<27>", bsd=bsd)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=ubnt:wireless earliest=-2m | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:wireless")
+    search = st.render(epoch=epoch)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -76,13 +96,19 @@ def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk,
 def test_ubiquiti_unifi_usg(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} usg-{{host}} kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328")
-    message = mt.render(mark="<27>", host=host)
+        "{{mark}}{{ bsd }} usg-{{host}} kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328")
+    message = mt.render(mark="<27>", bsd=bsd, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netfw sourcetype=ubnt:fw host=usg-{{host}} | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netfw sourcetype=ubnt:fw host=usg-{{host}}")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_vmware.py b/tests/test_vmware.py
index 9c16f27..7f6c371 100644
--- a/tests/test_vmware.py
+++ b/tests/test_vmware.py
@@ -11,22 +11,31 @@
 
 from .sendmessage import *
 from .splunkutils import *
-import random
+from .timeutils import *
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
+env = Environment()
 
 #vpxd 123 - - Event [3481177] [1-1] [2019-05-23T09:03:36.213922Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)]
 def test_linux_vmware(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }}1 {% now 'utc', '%Y-%m-%dT%H:%M:%SZ' %} {{ host }} vpxd {{ pid }} - - Event [3481177] [1-1] [2019-05-23T09:03:36.213922Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)]\n")
-    message = mt.render(mark="<144>", host=host, pid=pid)
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso = dt.isoformat()[0:26]
+    iso_header = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} vpxd {{ pid }} - - Event [3481177] [1-1] [{{ iso }}Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)]\n")
+    message = mt.render(mark="<144>", iso_header=iso_header, iso=iso, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main {{ pid }} sourcetype=\"vmware:vsphere:esx\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=main host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:esx\"")
+    search = st.render(epoch=epoch, host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -41,13 +50,21 @@ def test_linux_vmware_nsx_ietf(record_property, setup_wordlist, setup_splunk, se
     host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }}1 {% now 'utc', '%Y-%m-%dT%H:%M:%SZ' %} {{ host }} NSX - SYSTEM [nsx@6876 comp=\"nsx-manager\" errorCode=\"MP4039\" subcomp=\"manager\"] Connection verification failed for broker '10.160.108.196'. Marking broker unhealthy.\n")
-    message = mt.render(mark="<144>", host=host, pid=pid)
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso_header = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} NSX - SYSTEM [nsx@6876 comp=\"nsx-manager\" errorCode=\"MP4039\" subcomp=\"manager\"] Connection verification failed for broker '10.160.108.196'. Marking broker unhealthy.\n")
+    message = mt.render(mark="<144>", iso_header=iso_header, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host={{ host }} sourcetype=\"vmware:vsphere:nsx\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=main host={{ host }} sourcetype=\"vmware:vsphere:nsx\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -62,13 +79,19 @@ def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk, setu
     host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
     pid = random.randint(1000, 32000)
 
-    mt = env.from_string("{{ mark }} {% now 'local', '%b %d %H:%M:%S' %} {{ host }} dfwpktlogs: {{ pid }} INET match PASS domain-c7/1001 IN 60 TCP 10.33.24.50/45926->10.33.24.9/8140 S\n")
-    message = mt.render(mark="<144>", host=host, pid=pid)
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} dfwpktlogs: {{ pid }} INET match PASS domain-c7/1001 IN 60 TCP 10.33.24.50/45926->10.33.24.9/8140 S\n")
+    message = mt.render(mark="<144>", bsd=bsd, host=host, pid=pid)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=main host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:nsx\" | head 2")
-    search = st.render(host=host, pid=pid)
+    st = env.from_string("search _time={{ epoch }} index=main host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:nsx\"")
+    search = st.render(epoch=epoch, host=host, pid=pid)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/test_zscaler_proxy.py b/tests/test_zscaler_proxy.py
index 3873592..389069e 100644
--- a/tests/test_zscaler_proxy.py
+++ b/tests/test_zscaler_proxy.py
@@ -9,20 +9,29 @@
 
 from .sendmessage import *
 from .splunkutils import *
+from .timeutils import *
+
+env = Environment()
 
-env = Environment(extensions=['jinja2_time.TimeExtension'])
 #Note the long white space is a \t
 #2019-10-16 15:44:36    reason=Allowed    event_id=6748427317914894361    protocol=HTTPS    action=Allowed    transactionsize=663    responsesize=65    requestsize=598    urlcategory=UK_ALLOW_Pharmacies    serverip=216.58.204.70    clienttranstime=0    requestmethod=CONNECT    refererURL=None    useragent=Windows Windows 10 Enterprise ZTunnel/1.0    product=NSS    location=UK_Wynyard_VPN->other    ClientIP=192.168.0.38    status=200    user=first.last@example.com    url=4171764.fls.doubleclick.net:443    vendor=Zscaler    hostname=4171764.fls.doubleclick.net    clientpublicIP=213.86.221.94    threatcategory=None    threatname=None    filetype=None    appname=DoubleClick    pagerisk=0    department=Procurement, Generics    urlsupercategory=User-defined    appclass=Sales and Marketing    dlpengine=None    urlclass=Bandwidth Loss    threatclass=None    dlpdictionaries=None    fileclass=None    bwthrottle=NO    servertranstime=0    md5=None
 def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = time[:-7]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%Y-%m-%d %H:%M:%S' %}\treason=Allowed\tevent_id=6748427317914894361\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None")
-    message = mt.render(mark="<134>", host=host)
+        "{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894361\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None")
+    message = mt.render(mark="<134>", date=date, time=time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net  | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -36,13 +45,20 @@ def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s
 def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = time[:-7]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{% now 'local', '%Y-%m-%d %H:%M:%S' %}"+ '	reason=Allowed	event_id=6799437957281873922	protocol=HTTP	action=Allowed	transactionsize=623	responsesize=512	requestsize=111	urlcategory=Internet Services	serverip=13.107.4.52	clienttranstime=3	requestmethod=GET	refererURL="None"	useragent=Microsoft NCSI	product=NSS	location=Road Warrior	ClientIP=136.35.16.85	status=200	user=mdutta@acme.com	url="www.msftconnecttest.com/connecttest.txt"	vendor=Zscaler	hostname={{host}}.fls.doubleclick.net	clientpublicIP=136.35.16.85	threatcategory=None	threatname=None	filetype=None	appname=generalbrowsing	pagerisk=0	department=Default Department	urlsupercategory=Internet Communication	appclass=General Browsing	dlpengine=None	urlclass=Business Use	threatclass=None	dlpdictionaries=None	fileclass=None	bwthrottle=NO	servertranstime=3	md5=None	contenttype=text/plain	trafficredirectmethod=Z_APP	rulelabel=None	ruletype=None	mobappname=None	mobappcat=None	mobdevtype=None	bwclassname=General Surfing	bwrulename=No Bandwidth Control	throttlereqsize=0	throttlerespsize=0	deviceappversion=1.5.1.8	devicemodel=20QF000CUS	devicemodel=20QF000CUS	devicename=mdutta	devicename=mdutta	deviceostype=Windows OS	deviceostype=Windows OS	deviceosversion=Windows 10 Enterprise	deviceplatform=	clientsslcipher=None	clientsslsessreuse=UNKNOWN	clienttlsversion=None	serversslsessreuse=UNKNOWN	servertranstime=3	srvcertchainvalpass=UNKNOWN	srvcertvalidationtype=None	srvcertvalidityperiod=None	srvocspresult=None	srvsslcipher=None	srvtlsversion=None	srvwildcardcert=UNKNOWN	serversslsessreuse="UNKNOWN"	dlpidentifier="0"	dlpmd5="None"	epochtime="1583117516"	filename="None"	filesubtype="None"	module="General Browsing"	productversion="5.7r.78.218665_84"	reqdatasize="0"	reqhdrsize="111"	respdatasize="22"	resphdrsize="490"	respsize="512"	respversion="1.1"	tz="GMT"')
-    message = mt.render(mark="<134>", host=host)
+        "{{ date }} {{ time }}"+ '	reason=Allowed	event_id=6799437957281873922	protocol=HTTP	action=Allowed	transactionsize=623	responsesize=512	requestsize=111	urlcategory=Internet Services	serverip=13.107.4.52	clienttranstime=3	requestmethod=GET	refererURL="None"	useragent=Microsoft NCSI	product=NSS	location=Road Warrior	ClientIP=136.35.16.85	status=200	user=mdutta@acme.com	url="www.msftconnecttest.com/connecttest.txt"	vendor=Zscaler	hostname={{host}}.fls.doubleclick.net	clientpublicIP=136.35.16.85	threatcategory=None	threatname=None	filetype=None	appname=generalbrowsing	pagerisk=0	department=Default Department	urlsupercategory=Internet Communication	appclass=General Browsing	dlpengine=None	urlclass=Business Use	threatclass=None	dlpdictionaries=None	fileclass=None	bwthrottle=NO	servertranstime=3	md5=None	contenttype=text/plain	trafficredirectmethod=Z_APP	rulelabel=None	ruletype=None	mobappname=None	mobappcat=None	mobdevtype=None	bwclassname=General Surfing	bwrulename=No Bandwidth Control	throttlereqsize=0	throttlerespsize=0	deviceappversion=1.5.1.8	devicemodel=20QF000CUS	devicemodel=20QF000CUS	devicename=mdutta	devicename=mdutta	deviceostype=Windows OS	deviceostype=Windows OS	deviceosversion=Windows 10 Enterprise	deviceplatform=	clientsslcipher=None	clientsslsessreuse=UNKNOWN	clienttlsversion=None	serversslsessreuse=UNKNOWN	servertranstime=3	srvcertchainvalpass=UNKNOWN	srvcertvalidationtype=None	srvcertvalidityperiod=None	srvocspresult=None	srvsslcipher=None	srvtlsversion=None	srvwildcardcert=UNKNOWN	serversslsessreuse="UNKNOWN"	dlpidentifier="0"	dlpmd5="None"	epochtime="1583117516"	filename="None"	filesubtype="None"	module="General Browsing"	productversion="5.7r.78.218665_84"	reqdatasize="0"	reqhdrsize="111"	respdatasize="22"	resphdrsize="490"	respsize="512"	respversion="1.1"	tz="GMT"')
+    message = mt.render(mark="<134>", date=date, time=time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net  | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -56,13 +72,20 @@ def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_
 def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    time = time[:-7]
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%Y-%m-%d %H:%M:%S' %}\treason=Allowed\tevent_id=6748427317914894362\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None")
-    message = mt.render(mark="<134>", host=host)
+        "{{mark}}{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894362\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None")
+    message = mt.render(mark="<134>", date=date, time=time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -76,13 +99,19 @@ def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_
 def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{% now 'local', '%b %d %H:%M:%S' %} [10.0.0.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}}")
-    message = mt.render(mark="<134>", host=host)
+        "{{mark}}{{ bsd }} [10.0.0.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}}")
+    message = mt.render(mark="<134>", bsd=bsd, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netops sourcetype=\"zscalernss-alerts\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netops sourcetype=\"zscalernss-alerts\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -96,13 +125,20 @@ def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup
 def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    lss_time = dt.strftime("%a %b %d %H:%M:%S %Y")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}')
-    message = mt.render(mark="<134>", host=host)
+        "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}')
+    message = mt.render(mark="<134>", lss_time=lss_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -116,13 +152,20 @@ def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setu
 def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    lss_time = dt.strftime("%a %b %d %H:%M:%S %Y")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{{mark}}{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}')
-    message = mt.render(mark="<134>", host=host)
+        "{{mark}}{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}')
+    message = mt.render(mark="<134>", lss_time=lss_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -136,13 +179,20 @@ def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk,
 def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    lss_time = dt.strftime("%a %b %d %H:%M:%S %Y")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","ConnectionID":"6N9BHIHZrwGXJXG7q4sn,dUPdoZAgr6vJKlv588GG","Exporter":"unset","TimestampRequestReceiveStart":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveHeaderFinish":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveFinish":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitStart":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitFinish":"2020-03-02T02:28:53.277Z","TimestampResponseReceiveStart":"2020-03-01T22:39:30.707Z","TimestampResponseReceiveFinish":"2020-03-02T02:28:53.309Z","TimestampResponseTransmitStart":"2020-03-01T22:39:30.707Z","TimestampResponseTransmitFinish":"2020-03-02T02:28:51.762Z","TotalTimeRequestReceive":1193,"TotalTimeRequestTransmit":13762597414,"TotalTimeResponseReceive":13762601379,"TotalTimeResponseTransmit":13761054628,"TotalTimeConnectionSetup":1037,"TotalTimeServerResponse":-13762570100,"Method":"GET","Protocol":"HTTPS","Host":"accountman.dfamilk.com","URL":"/remoteDesktopGateway","UserAgent":"","XFF":"","NameID":"carlos.garcia.11@acme.com","StatusCode":101,"RequestSize":2246,"ResponseSize":3823185,"ApplicationPort":443,"ClientPublicIp":"162.205.86.162","ClientPublicPort":49330,"ClientPrivateIp":"","Customer":"{{host}}","ConnectionStatus":"zfce_mt_remote_disconnect","ConnectionReason":"BRK_MT_CLOSED_FROM_ASSISTANT"}')
-    message = mt.render(mark="<134>", host=host)
+        "{\"LogTimestamp\": \"{{ lss_time }}" + '","ConnectionID":"6N9BHIHZrwGXJXG7q4sn,dUPdoZAgr6vJKlv588GG","Exporter":"unset","TimestampRequestReceiveStart":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveHeaderFinish":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveFinish":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitStart":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitFinish":"2020-03-02T02:28:53.277Z","TimestampResponseReceiveStart":"2020-03-01T22:39:30.707Z","TimestampResponseReceiveFinish":"2020-03-02T02:28:53.309Z","TimestampResponseTransmitStart":"2020-03-01T22:39:30.707Z","TimestampResponseTransmitFinish":"2020-03-02T02:28:51.762Z","TotalTimeRequestReceive":1193,"TotalTimeRequestTransmit":13762597414,"TotalTimeResponseReceive":13762601379,"TotalTimeResponseTransmit":13761054628,"TotalTimeConnectionSetup":1037,"TotalTimeServerResponse":-13762570100,"Method":"GET","Protocol":"HTTPS","Host":"accountman.dfamilk.com","URL":"/remoteDesktopGateway","UserAgent":"","XFF":"","NameID":"carlos.garcia.11@acme.com","StatusCode":101,"RequestSize":2246,"ResponseSize":3823185,"ApplicationPort":443,"ClientPublicIp":"162.205.86.162","ClientPublicPort":49330,"ClientPrivateIp":"","Customer":"{{host}}","ConnectionStatus":"zfce_mt_remote_disconnect","ConnectionReason":"BRK_MT_CLOSED_FROM_ASSISTANT"}')
+    message = mt.render(mark="<134>", lss_time=lss_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-bba\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-bba\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -157,13 +207,20 @@ def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setu
 def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    lss_time = dt.strftime("%a %b %d %H:%M:%S %Y")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "{{host}}","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494}')
-    message = mt.render(mark="<134>", host=host)
+        "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "{{host}}","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494}')
+    message = mt.render(mark="<134>", lss_time=lss_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netproxy sourcetype=\"zscalerlss-zpa-connector\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-connector\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -178,13 +235,20 @@ def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk
 def test_zscaler_lss_zpa_auth(record_property, setup_wordlist, setup_splunk, setup_sc4s):
     host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
 
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    lss_time = dt.strftime("%a %b %d %H:%M:%S %Y")
+    epoch = epoch[:-7]
+
     mt = env.from_string(
-        "{\"LogTimestamp\": \"{% now 'local', '%b %d %H:%M:%S %Y' %}" + '","Customer": "{{host}}","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""}')
-    message = mt.render(mark="<134>", host=host)
+        "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "{{host}}","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""}')
+    message = mt.render(mark="<134>", lss_time=lss_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search earliest=-1m@m latest=+1m@m index=netauth sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\" | head 2")
-    search = st.render(host=host)
+    st = env.from_string("search _time={{ epoch }} index=netauth sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\"")
+    search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
diff --git a/tests/timeutils.py b/tests/timeutils.py
new file mode 100644
index 0000000..0e89bd0
--- /dev/null
+++ b/tests/timeutils.py
@@ -0,0 +1,41 @@
+import re
+import datetime
+
+# Helper functions
+# Insert a character at given location in string (e.g space between ms and TZ offset 2020-02-12 12:46:39.323 -08:00)
+def insert_char(string, char, integer):
+    return string[0:integer] + char + string[integer:]
+
+def removeZero(tz):
+    return re.sub(r'\b0+(\d)(?=:)', r'\1', tz)
+
+def time_operations(dt):
+    # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00)
+    # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python
+    iso = dt.astimezone().isoformat(sep='T', timespec='microseconds')
+    # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00)
+    bsd = dt.strftime("%b %d %H:%M:%S")
+
+    # Other variants of timestamps needed for this log sample
+    time = dt.strftime("%H:%M:%S.%f")
+    date = dt.strftime("%Y-%m-%d")
+    # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")'
+    # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)'
+    tzoffset = dt.astimezone().strftime("%z")
+    tzname = dt.astimezone().strftime("%Z")
+
+    # Derive epoch timestamp for use in search string
+    # NOTE:  There are caveats with 'strftime("%s")', see references below
+
+    # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime
+    # See https://docs.python.org/3/library/datetime.html#datetime-objects
+    # Basically: Don't use 'utcnow()'
+
+    # Strict way to get epoch as a string (rather than float) avoiding naive objects
+    # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s')
+
+    # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK
+    # Trim last 3 or 7 characters of microsecond resolution to obtain milliseconds or whole seconds, respectively
+    epoch = dt.astimezone().strftime("%s.%f")
+
+    return iso, bsd, time, date, tzoffset, tzname, epoch

From 6c25e80556854f7a9c1a725df490eba960ce06c0 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 13:25:30 -0700
Subject: [PATCH 2/8] Cleanup of debug cruft in tests

* Clean tests to remvoe debug statements
---
 package/etc/conf.d/filters/cisco/ucm.conf           |  4 ++--
 package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl |  1 -
 tests/test_cisco_ise.py                             |  2 +-
 tests/test_cisco_ucm.py                             | 10 +++++-----
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf
index 811ae0d..afe0bff 100644
--- a/package/etc/conf.d/filters/cisco/ucm.conf
+++ b/package/etc/conf.d/filters/cisco/ucm.conf
@@ -21,8 +21,8 @@ parser p_cisco_ucm_date {
         if {
             parser {
                 date-parser(format(
-                    '%b %d %Y %l:%M:%S %p.%f',
-                    '%b %d %H:%M:%S.%f'
+                    '%b %d %H:%M:%S.%f',
+                    '%b %d %Y %I:%M:%S %p.%f'
                     )
                     template("$3")
                     flags(guess-timezone)
diff --git a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
index a20bbd8..61d0274 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ucm.conf.tmpl
@@ -44,7 +44,6 @@ log {
 
     rewrite {
         set("cisco_ucm", value("fields.sc4s_vendor_product"));
-        set("$S_UNIXTIME.$S_MSEC", value("fields.sc4s_time"));
         r_set_splunk_dest_default(sourcetype("cisco:ucm"), index("main"))
     };
     parser {p_add_context_splunk(key("cisco_ucm")); };
diff --git a/tests/test_cisco_ise.py b/tests/test_cisco_ise.py
index bee913c..a644218 100644
--- a/tests/test_cisco_ise.py
+++ b/tests/test_cisco_ise.py
@@ -49,7 +49,7 @@ def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc
     message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\"")
+    st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" LicenseTypes=1")
     search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
diff --git a/tests/test_cisco_ucm.py b/tests/test_cisco_ucm.py
index 99c09bd..6fc8a22 100644
--- a/tests/test_cisco_ucm.py
+++ b/tests/test_cisco_ucm.py
@@ -31,7 +31,7 @@ def test_cisco_ucm_nohost_auditlog(record_property, setup_wordlist, setup_splunk
 
     mt = env.from_string(
         "{{ mark }}8103: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =192.168.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
-    message = mt.render(mark="<189>", tzname=tzname, ucm_time=ucm_time, host=host, epoch=epoch)
+    message = mt.render(mark="<189>", tzname=tzname, ucm_time=ucm_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
@@ -60,8 +60,8 @@ def test_cisco_ucm_nohost_rtmt(record_property, setup_wordlist, setup_splunk, se
     epoch = epoch[:-3]
 
     mt = env.from_string(
-        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application {{ ucm_time }} {{ epoch }}\n")
-    message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host, epoch=epoch)
+        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %UC_AUDITLOG-5-AdministrativeEvent: %[ UserID =administrator][ ClientAddress =10.1.1.1][ Severity =5][ EventType =GeneralConfigurationUpdate][ ResourceAccessed=CUCMAdmin][ EventStatus =Success][ CompulsoryEvent =No][ AuditCategory =AdministrativeEvent][ ComponentID =Cisco CUCM Administration][ AuditDetails =record in table device, with key field name = SEP0000311107A5 deleted][App ID=Cisco Tomcat][Cluster ID=][Node ID={{ host }}]: Audit Event is generated by this application\n")
+    message = mt.render(mark="<189>", ucm_time=ucm_time, tzname=tzname, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(
@@ -122,8 +122,8 @@ def test_cisco_ucm_nohost_alert(record_property, setup_wordlist, setup_splunk, s
     epoch = epoch[:-3]
 
     mt = env.from_string(
-        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}} {{ ucm_time }} {{ epoch }}\n")
-    message = mt.render(mark="<189>", epoch=epoch, ucm_time=ucm_time, host=host)
+        "{{ mark }}17: {{ ucm_time }} {{ tzname }} : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:SyslogSeverityMatchFound Detail: At Tue Apr 21 14:01:35 CDT 2009 on node {{ host }}, the following SyslogSeverityMatchFound events generated: SeverityMatch - Critical ntpRunningStatus.sh: NTP server 10.12.254.33 is inactive. Verify the network to this server, that it is a NTPv4 server and is operational. SeverityMatch - Alert sshd(pam_unix)[20038]: check pass; user unknown App ID:Cisco AMC Service Cluster ID: Node ID:{{host}}\n")
+    message = mt.render(mark="<189>", ucm_time=ucm_time, host=host)
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
     st = env.from_string(

From a979a585367768ee0d5289b88ca7377ddddc679f Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 13:28:55 -0700
Subject: [PATCH 3/8] Bump Cisco ACS/ISE multi-event timer to 30s

* Increase multi-event timer to 30s to catch more late events and include them in the group
---
 package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl | 2 +-
 package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
index 5288c07..9dbf86f 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_acs.conf.tmpl
@@ -33,7 +33,7 @@ parser acs_grouping {
             value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
             value("ACS.COMPLETE" "yes")
         )
-        timeout(10)
+        timeout(30)
     );
 };
 
diff --git a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
index ec5c3c2..de141b7 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ise.conf.tmpl
@@ -33,7 +33,7 @@ parser ise_grouping {
             value("MESSAGE" "$(implode '' $(context-values ${MESSAGE}))")
             value("ISE.COMPLETE" "yes")
         )
-        timeout(10)
+        timeout(30)
     );
 };
 

From 381ea2b01b80612f0f7231a80da9a6b3e5f45e87 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Sun, 8 Mar 2020 16:33:52 -0400
Subject: [PATCH 4/8] Update index.md

---
 docs/sources/PaloaltoNetworks/index.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/sources/PaloaltoNetworks/index.md b/docs/sources/PaloaltoNetworks/index.md
index 814344b..bc27602 100644
--- a/docs/sources/PaloaltoNetworks/index.md
+++ b/docs/sources/PaloaltoNetworks/index.md
@@ -53,7 +53,6 @@ MSG Parse: This filter parses message content
 | SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
 | SC4S_ARCHIVE_PALOALTO_PANOS | no | Enable archive to disk for this specific source |
 | SC4S_DEST_PALOALTO_PANOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
-| SC4S_SOURCE_FF_PALOALTO_PANOS_TIME_MS | no | Use custom time stamp parsing with ms added |
 
 ### Verification
 

From 6199531e904456dec067ffe1d7acc13538d8cb47 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 14:52:55 -0700
Subject: [PATCH 5/8] Test for UCM bug

* Small change to test for UCM bug
---
 package/etc/conf.d/filters/cisco/ucm.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf
index afe0bff..f0ed063 100644
--- a/package/etc/conf.d/filters/cisco/ucm.conf
+++ b/package/etc/conf.d/filters/cisco/ucm.conf
@@ -21,8 +21,8 @@ parser p_cisco_ucm_date {
         if {
             parser {
                 date-parser(format(
-                    '%b %d %H:%M:%S.%f',
-                    '%b %d %Y %I:%M:%S %p.%f'
+                    '%b %d %H:%M:%S.%f'
+#                   '%b %d %Y %I:%M:%S %p.%f'
                     )
                     template("$3")
                     flags(guess-timezone)

From df36240897ca2acce624d4fbfdeb7d4e80a94eb1 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 15:03:39 -0700
Subject: [PATCH 6/8] Undo previous debug change

* Undo previous debug change
---
 package/etc/conf.d/filters/cisco/ucm.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/filters/cisco/ucm.conf b/package/etc/conf.d/filters/cisco/ucm.conf
index f0ed063..afe0bff 100644
--- a/package/etc/conf.d/filters/cisco/ucm.conf
+++ b/package/etc/conf.d/filters/cisco/ucm.conf
@@ -21,8 +21,8 @@ parser p_cisco_ucm_date {
         if {
             parser {
                 date-parser(format(
-                    '%b %d %H:%M:%S.%f'
-#                   '%b %d %Y %I:%M:%S %p.%f'
+                    '%b %d %H:%M:%S.%f',
+                    '%b %d %Y %I:%M:%S %p.%f'
                     )
                     template("$3")
                     flags(guess-timezone)

From 760b67249e0215786e2e0369c4002bd90427be42 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 8 Mar 2020 15:54:55 -0700
Subject: [PATCH 7/8] Remove test for alternat timestamp

* Remove gomplate env var test for alternate timestamp and combine into one date-parser() call
---
 .../etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
index 27c6c3a..8f9907d 100644
--- a/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-paloalto_panos.conf.tmpl
@@ -39,15 +39,13 @@ log {
             prefix(".pan.")
             delimiters(',')
             );
+
         #2012/04/10 04:39:55
         #parse the date
-        date-parser(
-            {{- if (conv.ToBool (getenv "SC4S_SOURCE_FF_PALOALTO_PANOS_TIME_MS")) }}
-                format("%Y/%m/%d %H:%M:%S.%f")
-            {{- else}}
-                format("%Y/%m/%d %H:%M:%S")
-            {{- end}}
-
+        date-parser(format(
+                '%Y/%m/%d %H:%M:%S.%f',
+                '%Y/%m/%d %H:%M:%S'
+                )
                 template("${.pan.GeneratedTime}")
                 time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})
                 flags(guess-timezone)

From b30ffb3287a955275f85501c2f11c091b7494f47 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Sun, 8 Mar 2020 19:48:04 -0400
Subject: [PATCH 8/8] Update pytest.ini

---
 pytest.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pytest.ini b/pytest.ini
index d33097b..8a5c519 100644
--- a/pytest.ini
+++ b/pytest.ini
@@ -5,7 +5,7 @@ addopts =
     --splunk_type=docker
     --keepalive
     --splunk_hec_token=1ec3c8ac-74b3-46f2-ba44-a7c96b6ab236
-    -n=1
+    -n=10
 filterwarnings =
     ignore::DeprecationWarning
 junit_family=xunit1
\ No newline at end of file