I have a system that sometimes gets its clock messed up and starts sending events that are in the future. Splunk is recognizing the future time and is setting _time to the time of the last indexed event.
Is there any way to tell Splunk to use the current time for _time whenever a future time is detected?
You would need to set MAXDAYSHENCE attribute in the props.conf (to set on Indexer/Heavy forwarder) to adjust how long in future should splunk accept the timestamp. This can be set for a sourcetype OR for all using
MAX_DAYS_HENCE = <integer> * Specifies the maximum number of days in the future, from the current date as provided by input layer(For e.g. forwarder current time, or modtime for files), that an extracted date can be valid. Splunk still indexes events with dates more than MAX_DAYS_HENCE in the future with the timestamp of the last acceptable event. If no such acceptable event exists, new events with timestamps after MAX_DAYS_HENCE will use the current timestamp.