The logs doesn't contain date in them and so the events ingested into splunk are going to previous date.
Following are some of the events from splunk
05:50:41.426: GenHttpRequest() with id: 216526 created
05:50:41.426: HttpSocket selected for http://10.93.78.16:8800/
05:50:36.715: GenHttpRequest with id: 216525 destroyed
05:50:36.715: Socket fd=956, Message Length:224
What could be the best props I can configure to get the correct date to show up in Splunk?
Sometimes, there was a lag in the log flow into Splunk, so was not able to use DATETIME_CONFIG = CURRENT config
Is there any way that the date is picked up from filename and time from events?
not that i am aware of, but you can do it at search time ...
| rex field=source "regex that capture date"
| eval new_time_string = "field_from_rex_above". + ."time_field_from_event"
| eval _time = strftime(new_time_string, "time_format")
the above is a formula, you will have to apply the right rules for your use
if the events are generated and indexed in close time proximity, you can use :
DATETIME_CONFIG = CURRENT
in props.conf
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
extractor from running or "CURRENT" to assign the current system time to
each event.
* "CURRENT" will set the time of the event to the time that the event was
merged from lines, or worded differently, the time it passed through the
aggregator processor.
read more here:
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Propsconf
hope it helps