I have a question about how events arrive inside of a tool such as Splunk.
Currently, it appears that the way the plugin works is it will send the records over to the log collection application in question, placing the time stamp of the event in epoch time (located in the attributes of the event).
However, it would appear that within Splunk, it is marking the event time at which point it entered into Splunk.
So, for example, I have an event that happened two years ago, the time stamp on the event shows that and SailPoint shows that (even Splunk will show that if you drill into the event).
However, when I import into Splunk, let's say today (March 15, 2021), Splunk will show the event timestamp of today instead of when the actual event took place.
So when I am doing analytics, I can't actually look for when the event took place based on Splunk's timestamps (because Splunk is showing the day of import, not when the event took place): it won't actually be showing me events that took place two years ago.
Splunk would be showing those events that took place two years ago as events that took place today because that's when the events from SailPoint were imported into Splunk.
It sounds like the event date is being set to the index date
What does your props.conf look like for setting the timestamp?
Based on your comment, you should add the following to the TA's local/props.conf:
TIME_PREFIX=\"created\":
TIME_FORMAT=%s$3N