Given:
I have two log files (file_1, file_2)
Each from a different server (server_1, server_2).
The servers are not property synchronized via ntpd. (Example: server_1 is 13 seconds ahead of server_2.)
I do not have the ability to adjust or correct the server times.
I am the Splunk user, not the Splunk administrator.
Problem: After ingesting each of the log files, the events are off by 13 seconds (obviously).
Question: Can I adjust the _time for all events in source=file_2 by 13 seconds so the events line up correctly in search results, graphs, etc.?
↧