if this is true, why do my splunk servers running windows 2012r2 create the date_* field for there own eventlogs? they are using the same props.conf and Splunk_TA_windows app. when I seach there windows log, they return date_* fields. None of my universal forwarders on windows servers 2012r2 or otherwise or my windows 7 clients do. the only difference I can find is all my servers (Search heads, indexers, mast indexer, deployment server) are running splunk enterprise. My other systems are running universal forwarders. I have used universal forwarder 6.4.0, 6.5.0 and am now trying 7.0.0. it would make sense if NONE of my windows events gave date_* fields.... but they do. I really would prefer this work to take load of search head parsing days and hours from search to return non-business hour logins. I can do this using eval to create the fields but it is EXTREMELY slow and search head intensive as it has to return all results the evaluate and parse them. Vice only returning the valid events from the Index using date_wday and date_hour.
... View more