Splunk  "_time" Watermarks not advancing on some data sources. The ingestion is  pulling watermarks that are too old, stuck on bluecoat ironport data sources.

N/A

6.5.2.1

Incorrect time variables configured

In conjunction with understanding the tenets of ICA watermarking found in KB TECH249759, it was necessary to change the Splunk query to use the variable  "deviceReceiptTime", and convert or transpose it to the " _time" variable. Once this was completed, the integration step ran successfully, and the latest watermark dates showing completed were more current and accurate.  The details of the change are specific to SPLUNK and therefore are not included here. It is expected that the customer using this integration will have sufficient SPLUNK scripting capabilities to make this type of change.