Splunk - Adjusting source file timestamp

Given:

• I have two log files (file_1, file_2)
• Each from a different server (server_1, server_2).
• The servers are not property synchronized via ntpd. (Example: server_1 is 13 seconds ahead of server_2.)
• I do not have the ability to adjust or correct the server times.
• I am the Splunk user, not the Splunk administrator.

Problem: After ingesting each of the log files, the events are off by 13 seconds (obviously).

Question: Can I adjust the _time for all events in source=file_2 by 13 seconds so the events line up correctly in search results, graphs, etc.?

(Note: this is a simple break down of the more complex problem. I have thousands of logs from hundreds of servers. I cannot simply re-run/create these logs.)

You can do set the Splunk timestamp to whatever you want simply be overwriting the _time field for those events:

<any base search> source=file_2  | eval _time=_time+13

We can use an eval if statement to view all events and update the time only for file_2

<any base search> | eval _time=if(source=="file_2", _time+13, _time)