How splunk will decide for date/time in _time field?
I am getting strange date/time.
In first event I don't have any date/time information splunk will use event generate date time.
In second event I have several date/time field splunk pickup date from one of the field and for time it is using event generate time.
Is it right behavior?
If I want educate to splunk on specific date/time based on the eventtype, What should I do?
View solution in original post