Hello,
I have an issue where a small percentage of my logs are coming in dated 2011. I tracked it down to a field called `usernum=*` where some subset of the users account numbers match Epoch time format. So Splunk uses that time as the time. The correct field it should use it **start**.
I assume there is someway to set in the props.conf on the indexers to say
[mysourcetype]
Time_Use_Field=start
But for the life of me the time documentation is going over my head.
↧