Greetings everyone. Is there any way to modify _time's value for the sake of a single search? One of our sources has the time set 2 hours behind where it should be. We have to present data tomorrow, and it will take at least a week to re-index everything. Any ideas would be appreciated.
Things can get slightly wonky doing stuff like this though. You may need to resort by time (| sort -_time), and because this is a post-search processing of the data your search window will need to be large enough to be inclusive of the whole time window.
I would definitely plan on a reindex to fix the fouled data. But this might get you through your demo tomorrow.