I'm pulling events from remote computers using WMI as described in the splunk docs. Everything seems to be going quite well except... sometimes I encounter something like that in my logs:
Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Mon Dec 6 12:22:22 2021). Context: source=WMI:WinEventLog:Application|host=<redacted>|WMI:WinEventLog:Application|1
Which is quite surprising since I thought that WMI-pulled events should have proper timestamp created from the event timestamp on the source machine. Anyone encountered such issue?