I have a log with a timestamp that does not contain the year.
Moreover the events are not in a chronological order.
Here is a sample:
%symavsfs-4: Thu Mar 08 12:16:23 Romance Standard
%symavsfs-4: Thu Mar 08 12:18:25 Romance Standard
%symavsfs-4: Fri Dec 15 00:12:45 Romance Standard
%symavsfs-4: Fri Dec 15 00:17:50Romance Standard
The timestamp extraction gives an error:
A possible timestamp match (Thu Mar 08 12:16:23 2019) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.
I try to put MAX_DAYS_AGO to 2000 (but it is supposed to be set by default), and MAX_DIFF_SECS_AGO to 31536000 (1 year in second).
But the extraction is still not correct.
Splunk understands that the events are in the future.
Does anyone know how to force Splunk to consider that the events are in the past, either in 2018 or in 2017 ?