I am indexing a log file which doesn't have a timestamp, but have a few events that have completion time (how much time it took to complete kind of time difference). Splunk is taking this time as timestamp which ultimately is causing wrong timestamp assignment.
Event is something like below:
[check:INFO][abc.sh] abc.sh Total Time: 0:10:47
In Splunk it is shown as
14/12/2016 10:47:00.000 [check:INFO][abc.sh] abc.sh Total Time: 0:10:47
However, this 10:47 is not the timestamp. For a few events, it is working fine, but not for each event.
I've tried putting the props.conf below on the Search head. I also want to break each line as an event, but it is also not working 😞