we have a heavy forwarder with the Splunk_TA_cisco-esa app and a props.conf as below:
TIME_FORMAT=%y>%b %d %H:%M:%S TIME_PREFIX=^<
We are finding that sometimes the events are being created in Splunk with incorrect dates (see examples below). Any ideas why it's putting the events in the past?
... View more