Hi All,
Is there a possible solution to strip the actual timestamp of the event and add current system time as event timestamp.
Scenario:
My timestamp of events for Syslog feed coming to my heavyforwarder is as 2012-09-28T14:36:53.000
All events are having milliseconds as zero always because the syslog generating server doesn't have capability to add milliseconds.
So i was thinking if it is possible to ignore that timestamp and add the current timestamp of the indexer when indexing the events.
Splunk uses the current system time as event timestamp as a last resort. See more here: http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
Theoretically you could setup bogus time extraction rules that would make Splunk not find a timestamp in the event, which would then cause it to look for a timestamp in other locations and then resort to the current system time. It's not pretty, but it could work.
But I don't get why you want to throw the whole timestamp away just because there are some milliseconds that you're not using at the end? What's wrong about that?
You can force Splunk to just skip straight to current time by setting DATETIME_CONFIG = CURRENT
in props.conf. You don't need bogus rules. But I agree with Ayn, I don't think this makes sense. You're not going to get the time of the event if you use server time, you're going to get the time it was processed by the server. This is pretty close to the real event time, but not likely to be accurate to the millisecond level, and the difference between that and actual event time is likely to be variable based on server and network load and latency.
The reason i want milliseconds..is to get proper transaction duration.If transaction completes in same second, duration shown would be 0 , instead of milliseconds..