- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the timestamp showing up in the future on some sourcetypes for few servers?
I am facing issue for certain sourcetype the indexed events are with the future time stamp. The data of these source type is getting indexed in splunk via HF and forwarded to IDX. The props is defined from the SH GUI. please help me understand and eradicate this issue.
Example
event data
12/12/2024 10:08:24 PM
LogName=Application
SourceName=Galaxy
EventCode=1
EventType=4
Type=Information
ComputerName=testserver.gtest.com
TaskCategory=None
OpCode=None
RecordNumber=8425512
Keywords=Classic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to understand the requirement here. Your sample event contains the date of December 2024, which would obviously make Splunk create a bucket for a future timestamp and store it there. Could you please elaborate your requirement a bit so that we can propose a solution for you.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
The data I showed is event data which is the time stamp of 2024 and the time should be showing as today's date and time.
