Why is the timestamp showing up in the future on s...

AK_Splunk · ‎02-06-2023

I am facing issue for certain sourcetype the indexed events are with the future time stamp. The data of these source type is getting indexed in splunk via HF and forwarded to IDX. The props is defined from the SH GUI. please help me understand and eradicate this issue.

Example

event data
12/12/2024 10:08:24 PM
LogName=Application
SourceName=Galaxy
EventCode=1
EventType=4
Type=Information
ComputerName=testserver.gtest.com

TaskCategory=None
OpCode=None
RecordNumber=8425512
Keywords=Classic

shivanshu1593 · ‎02-06-2023

Unable to understand the requirement here. Your sample event contains the date of December 2024, which would obviously make Splunk create a bucket for a future timestamp and store it there. Could you please elaborate your requirement a bit so that we can propose a solution for you.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

AK_Splunk · ‎02-06-2023

Thanks for your response.
The data I showed is event data which is the time stamp of 2024 and the time should be showing as today's date and time.

Why is the timestamp showing up in the future on some sourcetypes for few servers?

calculated field

data model

field extraction

summary indexing

transaction

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation