The log file of UTF-16LE is fetched in batch mode, but LRM (Left-to-Right Mark) is included in the date part in the log file and the date part can not be extracted correctly,
so in _time, different dates are coming in.
Raw data:
[1]0638.08C4::?2019?-?03?-?21 15:44:03.831 [Microsoft-Windows-DNSServer]QUERY_RECEIVED: TCP=0????????? IP=10.10.10.10????=10.10.10.4?RD=1?QNAME=test.net.?QTYPE=1?XID=38145????=56663????=256????? ???=0x950101000002345000000000116169636869737465656C73746F7261676504626C6F6204636F72650777696E646F7773036E65740000010001
Please notice the "?" between the dates format. How to I parse it correctly to capture the actual date in splunk?
Please help
In props.conf, you need to configure timestamp extraction. https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Configuretimestamprecognition
[yoursourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 44
TIME_PREFIX = ::?
TIME_FORMAT = %Y?-?%m?-?%d %H:%M:%S.%3N
You may also need to configure other index time settings like linebreaker etc.