I just setup another splunk server. Foolishly I forgot to turn on NTP and the system clock was way off. The first chunk of log messages came in via Syslog and are indexed on when the were received by syslog (local time) not the correct date/time that appears in the log message.
Jun 12 03:59:58 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-12 10:59:59" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3268362 usr="admin" src=10.0.0.236:54609:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=775 rcvd=1659
As you can see from the log above the local time is: "12 03:59:58" where the log message time (remote) is time="2013-06-12 10:59:59"
do I need to teach splunk how to extract that date/time field or do I need to switch splunk to index based on log source time instead? If so how do I do that?