Data coming in from an API is using the _indextime as the _time field because the timestamp format that is being sent is not recognised by Splunk.
An example of the timestamp would look like this:
As you can see, an offset of -7 or -8 hours is being added to the time field.
The timestamp format we`re currently using for the sourcetype is:
This is no longer working after the sender made some changes to the timestamp, but I`m not entirely sure how to represent the new format.
Using Splunk Cloud.
Any help would be greatly appreciated.
The timestamp specification does indeed look OK. The question is - are the timestamps more or less "current". Because if they aren't (are outside margins set by MAX_DAYS_AGO and MAX_DAYS_HENCE with additional constraints for MAX_DIFF_SECS_AGO and MAX_DIFF_SECS_HENCE), splunk will apply additional mechanics described in https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf
The timestamps are quite old. What are the defaults for MAX_DAYS_AGO and MAX_DAYS_HENCE as I cannot see them being defined in the sourcetype settings ?
Should I go ahead and define them ? Some of the data is older than 2000 days.
The timestamp format is correct for the examples shown.
Perhaps the problem lies in the rest of the sourcetype configuration.
Please can you share some anonymised events and your sourcetype configuration.