I have indexed data on splunk but i can see the _time(indexed time) is showing wrong like.
I had indexed this data on 19th oct but this is showing like it is indexed on 18th oct.
Please suggest what would be the solution or i need to manually overwrite the _time key with current date time.
Thanks
_time is not the time the event was indexed - that's _index_time. _time is the time the event happened, which usually is different from when it was indexed (because of transport/processing delays).
From your screenshot I see what I presume is the event time ('date' field) differs from _time. That often happens when the time zone is incorrect or is not interpreted correctly. Were that the case here, however, I would expect the difference between date and _time to be a multiple of 30 minutes.
From what I see in the question, it's possible the props.conf settings are causing Splunk to interpret the wrong field as _time. Closer inspection shows the sourcetype ends with "too_small". This is an indication that Splunk does not have specific settings for the sourcetype so it's trying to guess at where the timestamp is (and getting it wrong, obviously).
The solution is to create a props.conf stanza for the sourcetype. It should be something like this:
Put this settings on your indexer and restart it. Events that arrive after that should have the right time on them.