I have system records which are in following format
RECORD_DATE=20130124145912|NAME=XYZ|PHONE=XXXXX|
Normally there is delay of 2-3 hours before these records reach Splunk server.
Splunk is displaying reports based on the time it receives records, can I configure Splunk to build all reports based on RECORD_DATE?
RECORD_DATE is in YYYYMMMDDHHMMSS format.
I have use strftime function for some of my reports, but this doesn't work for timeline.
strftime(strptime(RECORD_DATE ,"%Y%m%d%H%M"),"%Y-%m-%d %H:%M")
I want Splunk to use RECORD_DATE for timeline