I have a problem when indexing the events through a forwarder. The forwarder is listening to a log file with first event (first record) as header event. But I could see the events are not coming as is into the indexer. It is getting sorted on datetime.
Splunk Indexes data as soon as they are received and they might not know when your file writing finishes. These events are persisted to disk in their original arrival order. However, in search results events are retrieved in inverse time order to show the latest events first.
You can sort events during search to see events in arrival order.
The first record in the file is header record. In the search head,I'm trying to extract the fields by creating the props.conf and transforms.conf in $splunk_HOME/etc/apps/appname/local . But I couldn't see the fields getting extracted ,Is it because of order I'm not able to extract the fields ? Please advise.
The order of indexing should not affect the extraction process. From the above configuration, it more looks like an indexer time extraction and for that you have to place the configuration on indexers.
If you just want search time extractions, try with splunk web