i have a data source of csv type, generated from a script that runs every 1 minute.
the data has "time" field, which is in dd/mm/yyyy hh:mi format, and everything works great.
when i create a summmary index that runs every 5 minutes, using the web interface, or use a collect command to do it manually one time, i have the following problem :
the time fields that splunk shows the data according to is _time which gets the time of the summary/collect runtime, and not the time of the data under it.
if i do that i get _time empty when i do my search, and when i use collect on it and search the result, i get the same thing, _time has the time of the collect.
why is the field _time not getting the value in time?