You should be able to do this using props.conf on the indexer (since you're using LWF)
[mysourcetype]
DATETIME_CONFIG = CURRENT
See http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info.
You should be able to do this using props.conf on the indexer (since you're using LWF)
[mysourcetype]
DATETIME_CONFIG = CURRENT
See http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info.
Docs scrubbed. Sorry, old error. Passes smell test but was incorrect.
Can you post a link to where you found that in the docs? I didn't see it in the reference for props.conf, which confused me a little.
Thanks, this worked, but MAX_TIMESTAMP_LOOKAHEAD = 0 did not, which confuses me. Why would the documentation say setting the MAX_TIMESTAMP_LOOKAHEAD to 0 will cause splunk not to look into the event for a timestamp, and use the the current system time as the timestamp? I did not see this behavior when I used this configuration.
I was looking through the documentation and found the answer shortly after I posted.
If your events are indexed in real time, increase Splunk's overall indexing performance by turning off timestamp lookahead (set MAX_TIMESTAMP_LOOKAHEAD = 0). This causes Splunk to not look into event's for a timestamp, and sets an event's timestamp to be its indexing time (using current system time).