Solved: Configuration for Identify & Index events with fut...

krishnarajb2304 · ‎08-10-2015

Hi Splunker's,

Events coming for future dates, how to identify the future events and index them.

Thanks,

vasanthmss · ‎08-10-2015

Hi,

Add the following configuration in props.conf along with time stamp recognition.

Props.conf:

MAX_DAYS_HENCE = <integer>

Sample configuration will look next 3 days,

MAX_DAYS_HENCE = 3

Maximum Integer value is 10950 (days).

Gothrough the following Links ,

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Propsconf

V

View solution in original post

woodcock · ‎08-10-2015

The answer by @vasanthmss is a good one and the one I would have given (but he got there first). The answer assumes that it is correct and proper for you go get events "from the future" and so we are accommodating/allowing them. But perhaps that is not what you desire; are you trying to fix/prevent events from the future?

krishnarajb2304 · ‎08-10-2015

we are looking for the hence day.

Thanks Woodcook,

vasanthmss · ‎08-10-2015

Hi,

Add the following configuration in props.conf along with time stamp recognition.

Props.conf:

MAX_DAYS_HENCE = <integer>

Sample configuration will look next 3 days,

MAX_DAYS_HENCE = 3

Maximum Integer value is 10950 (days).

Gothrough the following Links ,

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Propsconf

V

Configuration for Identify & Index events with future date

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...