Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between "NONE" and "CURRENT" regarding the setting value of "DATETIME_CONFIG"?

yutaka1005
Builder
‎02-21-2018 06:13 PM

I'm sorry for the rudimentary question.

Regarding the setting value of "DATETIME_CONFIG", I can not understand the difference between "NONE" and "CURRENT" even if I look at the props.conf manual.

I think that both of them are things to define "_time" with another rule rather than extracting the timestamp described on the log, but what is the distinct difference?

Would anyone tell me about it easily?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-21-2018 09:00 PM

If you set it to NON, I think that there is a possibility that it will be set from the update time of the file.

Excerpt from ”Timestamp extraction configuration”

  • "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor.
  • "NONE" will leave the event time set to whatever time was selected by the input layer
  • For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
  • For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read.
  • For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc.
  • Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎02-21-2018 09:00 PM

If you set it to NON, I think that there is a possibility that it will be set from the update time of the file.

Excerpt from ”Timestamp extraction configuration”

  • "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor.
  • "NONE" will leave the event time set to whatever time was selected by the input layer
  • For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
  • For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read.
  • For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc.
  • Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...