I've got a log file which tracks some call statistics.
For some reason, about half of these, Splunk has them as being exactly 1 day older than they are.
This one is indexed as 7/15/10
VQM: 8885551212 07/16/10.16:59:59 0.000% 0ms - G726 20ms 1 1
This one is indexed as 07/16/10
VQM: 8885551212 07/16/10.16:33:40 0.000% 0ms - G729 20ms 1 1
For the life of me, I cannot tell the difference between the two.
I found a field called timestartpos, but that just (correctly) shows the first character of the time. Is there something like that for date?
I also correctly set the Time Zone in props.conf and created a timeformat string for that source, which didn't make any difference.
Thanks for your assistance.
... View more