as Title , I have many events older than 1970/1/1 , Splunk doesn't index those events (I have modified max_days_ago=18250 in props.conf)
is it because splunk's timestamp is from 1970/1/1 ? is there any work around ? thanks .
No, Splunk only supports events with an epoch time greater than zero.
Are these events from a time machine that you used to travel back in time?
Stephen is correct regarding epoch time being greater than 0. 01 Jan 1970 00:00:00 UTC is epoch 0.
Perhaps as a workaround you can try modifying the timestamp on your events?
No, Splunk only supports events with an epoch time greater than zero.