I have a timestamp that is not coming incorrectly. Splunk is reading the seconds portion of time in my event as minutes.
COMPUTER1, 09/15/2014, 0:00:01 comes across as
9/15/2015 12:01:00 AM
How do I get it to see the seconds as seconds and not minutes?
Use these settings in props.conf for that sourcetype:
...
MAX_TIMESTAMP_LOOKAHEAD=30
TIME_FORMAT=%m/%d/%Y, %k:%M:%S
TIME_PREFIX=^\S+,
The important bit is the %k for hours not prefixed by a zero when in single digits, by default Splunk looks for zero-prefixed hours only.