Hi,
I have a number of logfiles that do not have timestamps. I am processing these logs with the univeral forwarder, on Windows servers. i want the timestamp to be equal to the time of the universal forwarders time when the entry was processed. How would I configure props.conf to do such a thing?
This is possible, but the timestamp will be the index time at the indexer (not the read time at the forwarder).
You have to define a sourcetype for your log, and define it in props.conf on the indexer
[mysourcetypefornotimestamp]
DATETIME_CONFIG = CURRENT
see http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition