- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- DATETIME_CONFIG = NONE not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DATETIME_CONFIG = NONE not working
I downloaded a free trial version of Splunk Enterprise.
Indexed in a file on the network (updates every minute) so its not local to my PC. File has a timestamp column.
Looks like the indexer is parsing the data in file to pickup time stamp.
So, I tried defining "DATETIME_CONFIG = NONE" in props.conf in the location 'C:\Program Files\Splunk\etc\system\local', still uses timestamp from the file and not the data indexing time.
What do I need to do so that time stamp for every event is the data indexing time or the file generation time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do no put any settings in $SPLUNK_HOME/etc/system/local/props.conf. Instead, create your own app in $SPLUNK_HOME/etc/apps/ArbitraryNameHere/local/props.conf. Make sure that it has only these lines:
[YourSourcetypeHere]
DATETIME_CONFIG = CURRENT
# NOTE, do not use "NONE"
Put this on your Indexer. Restart Splunk. Check only for newly Indexed events; use a search like this:
index=YourIndexHere sourcetype=YourSourcetypeHere | where _indextime == _time
If you get events, then it is working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you restarted Splunk after the change in props.conf?
Does the source, host, or sourcetype defined in the props stanza match? since this is a regex like match it is actually case sensitive 😉
Also remember this will only apply to new incoming events.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes and yes for both the questions. also matched the case. Still doesnt work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file that I am indexing is not local to my PC, its from a server location. May be that's why the changes I make to props.conf doesn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, after some digging, might have found the issue. To add data there are initial 3 options, Upload / Monitor / Forward.
I had selected Monitor ( which is for external sources like Files - HTTP - WMI - TCP/UDP - Scripts
Modular inputs for external data sources). Now instead I selected Upload (from local PC, this also allows you to upload from drives from servers which are mapped in your PC).
When I did this, while adding data it gave me option to 'Set Source Type' (which is not available in Monitor). In there was option to play around with timestamp (use current / parse data). So I didnt need to edit props.conf anymore.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
