We would like to set the index time to be the event time (at index time). How can we do it?
HI ddrillic,
You can do this by adding this to props.conf on indexers.
[mysourcetype]
DATETIME_CONFIG = CURRENT
Let me know if this helps.
DATETIME_CONFIG = CURRENT
appears to read that the time it hits the forwarder is the time it will appear in the seach/index window.
I need to use the actual time of the event that is inside the event as the time, how do i configure this?
Did you ever get resolution to this?
If so it would be great if you could provide the info.
Hello,
I did not realize that I am posting the same answer until I refreshed the browser. But anyway,
Set DATETIME_CONFIG = CURRENT
to assign the current system time to each event as it's indexed.
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
extractor from running or "CURRENT" to assign the current system time to
each event.
* "CURRENT" will set the time of the event to the time that the event was
merged from lines, or worded differently, the time it passed through the
aggregator processor.
* "NONE" will leave the event time set to whatever time was selected by
the input layer
* For data sent by splunk forwarders over the splunk protocol, the input
layer will be the time that was selected on the forwarder by its input
behavior (as below).
* For file-based inputs (monitor, batch) the time chosen will be the
modification timestamp on the file being read.
* For other inputs, the time chosen will be the current system time when
the event is read from the pipe/socket/etc.
* Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
identification, so the default event boundary detection
(BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When
using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* ,
MUST_BREAK_* settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).
If you meant setting the time stamp for an event based on the current system time(the time it is being indexed). You can use DATETIME_CONFIG = CURRENT in props.conf for the sourcetype
HI ddrillic,
You can do this by adding this to props.conf on indexers.
[mysourcetype]
DATETIME_CONFIG = CURRENT
Let me know if this helps.