The problem is that there is a lag happening in the log shipping from our application to Splunk, after some investigation we realized that we can override the event time by providing _time property in the logs (ref:https://docs.splunk.com/Documentation/SCS/current/Search/Timestampsandtimeranges) and it should be UNIX epoch time (seconds). we did that but it didn’t have any effect on the event time and the time difference persists. It has been a while since we are testing a lot of possibilities yet none of them did the trick.
... View more