I don't have a time stamp field in any of my events. As of now, the default system time is added as _time.
File comes by hourly with the file name (filename201503121000.csv). [filenameYYYYMMDDHHSS.csv ]. Now I am trying to extract the _time from the source file name. I created a transformation and then calculated _time based on source.
It seems like _time has changed,
Earlier: search duration is <2015-Mar-12 00:00 to 2015-Mar-12 12:00>
Filename_201503121000.csv [ 12-Mar-2015 10:00] comes at 11.10 so all the events are looking like this,