I have a system that sometimes gets its clock messed up and starts sending events that are in the future. Splunk is recognizing the future time and is setting _time to the time of the last indexed event.
Is there any way to tell Splunk to use the current time for _time whenever a future time is detected?
You would need to set MAX_DAYS_HENCE attribute in the props.conf (to set on Indexer/Heavy forwarder) to adjust how long in future should splunk accept the timestamp. This can be set for a sourcetype OR for all using [default] stanza.
MAX_DAYS_HENCE = <integer>
* Specifies the maximum number of days in the future, from the current date as
provided by input layer(For e.g. forwarder current time, or modtime for files),
that an extracted date can be valid. Splunk still indexes events with dates
more than MAX_DAYS_HENCE in the future with the timestamp of the last
acceptable event. If no such acceptable event exists, new events with
timestamps after MAX_DAYS_HENCE will use the current timestamp.