Hi Team, I'm trying to add customized event timestamp by extracting from raw data instead of adding current time as the event time. To achieve this I created a sourcetype with following settings from splunk web gui after testing in lower environment. But in production it is not functioning as expected. Raw data: 2024-11-18 09:20:10.187, STAGE_INV_TXNS_ID="xxxxxxxxx", LOC="xxxxxxx", STORE_NAME="xxxxxxx", STORE_PCODE="xxxxxxxxx", TRAN_CODE="xxxx", TRANS_TYPE="xxxxxxx", TRAN_DATE_TIME="2024-11-18 09:09:27", LAST_UPDATE_USER="xxxxxx" 2024-11-18 09:20:10.187, STAGE_INV_TXNS_ID="xxxxxxxxx", LOC="xxxxxxx", STORE_NAME="xxxxxxx", STORE_PCODE="xxxxxxxxx", TRAN_CODE="xxxx", TRANS_TYPE="xxxxxxx", TRAN_DATE_TIME="2024-11-18 09:09:27", LAST_UPDATE_USER="xxxxxx" 2024-11-18 09:20:10.187, STAGE_INV_TXNS_ID="xxxxxxxxx", LOC="xxxxxxx", STORE_NAME="xxxxxxx", STORE_PCODE="xxxxxxxxx", TRAN_CODE="xxxx", TRANS_TYPE="xxxxxxx", TRAN_DATE_TIME="2024-11-18 09:09:28", LAST_UPDATE_USER="xxxxxxx" 2024-11-18 09:20:10.187, STAGE_INV_TXNS_ID="xxxxxxxxx", LOC="xxxxxxx", STORE_NAME="xxxxxxx", STORE_PCODE="xxxxxxxxx", TRAN_CODE="xxxx", TRANS_TYPE="xxxxxxx", TRAN_DATE_TIME="2024-11-18 09:09:30", LAST_UPDATE_USER="xxxxx" I want the timestamp in TRAN_DATE_TIME field to be event timestamp. This data we are pulling from database using db connect. Could you please help us in understanding whats going wrong and how it can be corrected.
... View more
