We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues. I guess need to use props.conf timestamp settings.
Sample event :
I viewed it in list mode
Time
6/6/18
11:28:09.000 AM
EVENT
20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@111] Test Backup succeeded
Likewise all the events are generated
If i viewed in Raw mode :
20 6 Jun 6 11:28:09 hostname TAG: Hostd: info hostd [abcd@11] Test Backup succeeded.
I don't see anything wrong with the time either. It may help if you included a screenshot or something. Both timestamps are 11:28:09. What's the issue?
I'm not sure I see what's wrong. I see no year in your raw event, so from where would Splunk get a value to use other than "The current year?"
Unless - is the "20 6" supposed to be "2006" or "2016" or "2026" or something?
Do you have any control over the format of the raw events?