Getting Data In

What is the difference between "NONE" and "CURRENT" regarding the setting value of "DATETIME_CONFIG"?

yutaka1005
Builder

I'm sorry for the rudimentary question.

Regarding the setting value of "DATETIME_CONFIG", I can not understand the difference between "NONE" and "CURRENT" even if I look at the props.conf manual.

I think that both of them are things to define "_time" with another rule rather than extracting the timestamp described on the log, but what is the distinct difference?

Would anyone tell me about it easily?

0 Karma
1 Solution

HiroshiSatoh
Champion

If you set it to NON, I think that there is a possibility that it will be set from the update time of the file.

Excerpt from ”Timestamp extraction configuration”

  • "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor.
  • "NONE" will leave the event time set to whatever time was selected by the input layer
  • For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
  • For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read.
  • For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc.
  • Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

View solution in original post

0 Karma

HiroshiSatoh
Champion

If you set it to NON, I think that there is a possibility that it will be set from the update time of the file.

Excerpt from ”Timestamp extraction configuration”

  • "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor.
  • "NONE" will leave the event time set to whatever time was selected by the input layer
  • For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
  • For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read.
  • For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc.
  • Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...