background - the designed windows log flow is Splunk Agent of Universal forwarder -> Splunk Heavy Forwarder-> Splunk Indexer. the path are monitored with inputs.conf in Universal forwarder like this [monitor://D:\test\*.csv] disabled=0 index=asr_info sourcetype=csv source=asr:report crcSalt=<SOURCE> the example content for one of the csv file is like below - cn,comment_id,asr_number,created_by,created_date zhy,15,2024-10-12-1,cc,2024-10-28 18:10 bj,10,2024-09-12-1,cc,2024-09-12 13:55 for the 2 indexed rows, the field extractions are good except _time. for the first row, _time is 10/12/24 6:10:00.000 PM, for the second row, _time is 9/12/24 1:55:00.000 PM Question - How to make _time be the real ingested time instead of guessing from the row content? (tried with DATETIME_CONFIG = CURRENT in both HF and index in props like - [source::asr:report] DATATIME_CONFIG = CURRENT but, it does not work )
... View more