Hi All, Currently we are facing an issue with data being logged with future time stamp for certain host and source type.

In our environment we have nearly 1000 windows UF agent installed to pull the data from the remote windows machine and it is parsed into 5 indexer instance to index the data from remote devices.

Out of 1000 Windows UF agent there are nearly 200 windows agents are logging with future time stamp with the source type = Script:ListeningPorts.

I have used the below query to identify the list of any log sources that are logging with future time stamps

I have used to this query to verify whether the host and source type are logging with future time stamp or not.

index=win_svrs host=test1 sourcetype=Script:ListeningPorts earliest=+5m latest=+20y
| where _indextime < _time
| eval indextime=strftime(_indextime, "%+")

Below is the partial configuration details :

My input stanza configured in all remote windows machine via Deployment server.

Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0

Run once per hour

interval = 3600
sourcetype = Script:ListeningPorts
index = win_svrs

Props.conf
[source::...win_listening_ports.bat]
sourcetype = Script:ListeningPorts

Data are parsed into all the indexer instance before indexing data into index.

Props.conf

Listening Ports
[Script:ListeningPorts]
SHOULD_LINEMERGE = false

Transforms.conf

Listening Ports
[dest_ip_for_listeningports]
REGEX = dest_ip=[(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
FORMAT = dest_ip::$1

[kv_for_listeningports]
DELIMS = " ", "="

I am not sure how its working for other 800 servers with the correct time stamp with the same sourcetype and only for 200 servers we could see future time stamp.

Kindly guide me know how to correct the future time stamp issue for 200 servers.