I have configured the TIME_FORMAT in props.conf as mentioned below.
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
SHOULD_LINEMERGE = false
HEADER_FIELD_LINE_NUMBER = 1
CHECK_FOR_HEADER = true
NO_BINARY_CHECK = true
disabled = false
initCrcLength = 2048
CHARSET = AUTO
KV_MODE = none
category = structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
pulldown_type = 1
SEDCMD-replacespace = s/ /_/g
TIMESTAMP_FIELDS = "TimeField"
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
Monitoring CSV file in UF. This props is in indexer.
Example input data - 2019-08-13 07:15:00
But after indexing _time is coming as 2019-08-13 07:00
The Minute part is disappearing.
Please suggest some solution
I put the props in UF and it is working fine now. Thanks
Does this mean the directory of $SPLUNK_HOME/SplunkUniversalForwarder/default
or something else?