I have a source that only contains the time of an event, not the date. It looks something like this:
...
08:26:40 event1
08:26:41 event2
13:59:09 event3
13:59:12 event4
...
The order in the source is not by time but rather grouped by application specifics. When I try to index this splunk correctly recognizes the time based on my TIMESTAMP_FORMAT, but for each large skip forward as with event2 to event3 it skips back a day, so event2 gets inserted as April 19th 08:26:41 (correct), but event3 gets inserted as April 18th 13:59:09. Fiddling with MAX_DIFF_SECS_AGO / _HENCE does not appear to help.
Any ideas?
Edit: I've dug through comparing an example file with the events in splunk, here's where the timestamp jumps occur:
Event Source Splunk
1 18:23:50 18:23:50 April 18th
2 07:16:22 07:16:22 April 17th, jumped back one day
3 07:16:24 07:16:24 April 17th
...
754 08:49:08 08:49:08 April 17th
755 08:26:41 08:26:41 April 17th
756 13:59:09 13:59:09 April 16th, jumped back one day
757 13:59:12 13:59:12 April 16th
...
817 14:15:38 14:15:38 April 16th
818 08:27:35 08:27:35 April 16th, did not jump
...
The jumps don't seem to follow a simple pattern. Event 1 to 2 was a time-gap backwards by 11 hours, this caused a jump. 755 to 756 was 5 hours forwards, jump again. 817 to 818 was backwards as 1 to 2 and more hours than 755 to 756, but no jump...
