Getting Data In

Using index time as time stamp

carmackd
Communicator

Is there anyway to ignore the events time stamp, and set it to the current system time (at the event's index time)?

I'm using light weight forwarders so I assume this would need to be done on the indexer.

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

You should be able to do this using props.conf on the indexer (since you're using LWF)

[mysourcetype]
DATETIME_CONFIG = CURRENT

See http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

You should be able to do this using props.conf on the indexer (since you're using LWF)

[mysourcetype]
DATETIME_CONFIG = CURRENT

See http://www.splunk.com/base/Documentation/latest/Admin/Propsconf for more info.

jrodman
Splunk Employee
Splunk Employee

Docs scrubbed. Sorry, old error. Passes smell test but was incorrect.

dwaddle
SplunkTrust
SplunkTrust

Can you post a link to where you found that in the docs? I didn't see it in the reference for props.conf, which confused me a little.

0 Karma

carmackd
Communicator

Thanks, this worked, but MAX_TIMESTAMP_LOOKAHEAD = 0 did not, which confuses me. Why would the documentation say setting the MAX_TIMESTAMP_LOOKAHEAD to 0 will cause splunk not to look into the event for a timestamp, and use the the current system time as the timestamp? I did not see this behavior when I used this configuration.

0 Karma

carmackd
Communicator

I was looking through the documentation and found the answer shortly after I posted.

If your events are indexed in real time, increase Splunk's overall indexing performance by turning off timestamp lookahead (set MAX_TIMESTAMP_LOOKAHEAD = 0). This causes Splunk to not look into event's for a timestamp, and sets an event's timestamp to be its indexing time (using current system time).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...