topic Re: Splunk to force the date of events with current date instead of file date in Splunk Enterprise

Splunk to force the date of events with current date instead of file date

Raja_Selvaraj — Tue, 22 Jul 2025 15:54:38 GMT

Hi Everyone,

Please help me regarding this ask - i need the splunk to show the respective events with the current date instead of the date when the file being placed in the host. For instance, like the file been placed in server dated 17th july and the events are showing with date 17th july instead i want with the current date.

If the current date 22nd July, then event's date should mentioned as 22nd July and likewise.

I have tried with DATETIME_CONFIG = CURRENT and DATETIME_CONFIG = NONE in props.conf but it doesn't work.

Re: Splunk to force the date of events with current date instead of file date

SanjayReddy — Tue, 22 Jul 2025 17:48:27 GMT

Hi @Raja_Selvaraj

DATETIME_CONFIG = CURRENT it should work as expected.

Can you please run btool command to check if DATETIME_CONFIG taking effect or any config overriding it.

splunk btool props list <sourcetype> --debug

above comand should list datetime_config

sample format in props.conf
[<sourcetype>]
DATETIME_CONFIG=CURRENT

Re: Splunk to force the date of events with current date instead of file date

PickleRick — Tue, 22 Jul 2025 21:22:54 GMT

If you want to modify displayed time so that whenever you're searching for the event you're being shown current time, you have to do it in search time.

<your_search>
| eval _time=now()

Question is why would you do that. Time is one of the main and most important metadata about the event.

And it has nothing to do with DATETIME_CONFIG - that setting only works during event ingestion. It modifies what timestamp will be assigned to the event. But each event when it's indexed gets its own timestamp and you can't modify the indexed timestamp. You can only "cheat" during searching by overwriting the value as I've shown above.

Re: Splunk to force the date of events with current date instead of file date

livehybrid — Wed, 23 Jul 2025 09:51:44 GMT

Hi @Raja_Selvaraj

Can you confirm which server(s) you have put the DATETIME_CONFIG = CURRENT on and what type of instance this is? (Universal Forwarder / Heavy Forwarder / Indexer) ?

This needs to be on the first full deployment (HF/Indexer) that the data hits as this is where it is parsed

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk to force the date of events with current date instead of file date

PrewinThomas — Wed, 23 Jul 2025 10:29:31 GMT

@Raja_Selvaraj

DATETIME_CONFIG = CURRENT should work normally.
But observed few times with monitor input, Splunk still scans the event content or file metadata (modtime) to determine _time, even if DATETIME_CONFIG = CURRENT is set.

Are you using monitor input?

But you can use the modification at search time.

Eg:

BASE_SEARCH | eval _time = now()

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!