I'd like to have Splunk add an additional (current) timestamp field to the events that I'm sending so that I can compare what my app thinks the time is, versus what the Splunk server says it is. I understand indexing can take some time and would naturally shift the time slightly, and that is ok. The sort of clock skew (between app server and indexing server) that I'm trying to expose is on the order of years.
My app is currently sending the time in the timestamp field of the events (JSON). Ideally I'd like to have Splunk add a field "timestamp_splunk" or something like that. Alternatively I'm happy to have Splunk set the timestamp field and have my app send the time in a different field.
... View more