I have a sourcetype where Splunk is correctly getting the time stamp from the events, but the events don't contain a date.
Unfortunately the logs are named like:
050508 is part of a username, and not a date. But, sure enough, Splunk thinks the events are from 2008-05-05.
Is there a way to get the date from index-time, but get the time from the timestamp?
I would suggest using
DATETIME_CONFIG = current in props.conf for the sourcetype the data is assigned. I think it has a decent chance at telling splunk to use the system current timestamp for the event. You can also try to specify a TIME_FORMAT, TIME_PREFIX, and MAX_TIMESTAMP_LOOKAHEAD in props.conf to tell splunk what the time format is, where to look for the timestamp, and how many characters the timestamp contains. If there isn't a date in the file, just don't specify one. The default behavior is that when the log doesn't contain a date, to revert to the mod time of the file for the date. Hopefully this will get you close to what you'd like to see.