https://community.splunk.com/t5/Getting-Data-In/scripted-input-timestamp-extraction/m-p/59453#M11716 <P>Hi,</P> <P>You need to configure your <CODE>props.conf</CODE> file for this. Please see the following extract from the documentation:</P> <PRE><CODE>#****************************************************************************** # Timestamp extraction configuration #****************************************************************************** DATETIME_CONFIG = &lt;filename relative to $SPLUNK_HOME&gt; * Specifies which file configures the timestamp extractor, which identifies timestamps from the event text. * This configuration may also be set to "NONE" to prevent the timestamp extractor from running or "CURRENT" to assign the current system time to each event. * "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor. * "NONE" will leave the event time set to whatever time was selected by the input layer * For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read. * For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging. * Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml). </CODE></PRE> <P>Ref: <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf</A></P> <P>Hope this helps.</P> Tue, 11 Jun 2013 15:40:38 GMT MHibbin 2013-06-11T15:40:38Z https://community.splunk.com/t5/Getting-Data-In/scripted-input-timestamp-extraction/m-p/59452#M11715 <P>We have a script that executes every 5 minutes to pull back server stats but it takes about 2-3 minutes to execute so the timestamp of events is different. Is it possible to give all these events that come in during the scripted input execution the timestamp of when the script was executed?</P> Tue, 11 Jun 2013 14:03:07 GMT https://community.splunk.com/t5/Getting-Data-In/scripted-input-timestamp-extraction/m-p/59452#M11715 aaronkorn 2013-06-11T14:03:07Z https://community.splunk.com/t5/Getting-Data-In/scripted-input-timestamp-extraction/m-p/59453#M11716 <P>Hi,</P> <P>You need to configure your <CODE>props.conf</CODE> file for this. Please see the following extract from the documentation:</P> <PRE><CODE>#****************************************************************************** # Timestamp extraction configuration #****************************************************************************** DATETIME_CONFIG = &lt;filename relative to $SPLUNK_HOME&gt; * Specifies which file configures the timestamp extractor, which identifies timestamps from the event text. * This configuration may also be set to "NONE" to prevent the timestamp extractor from running or "CURRENT" to assign the current system time to each event. * "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor. * "NONE" will leave the event time set to whatever time was selected by the input layer * For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read. * For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging. * Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml). </CODE></PRE> <P>Ref: <A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Propsconf</A></P> <P>Hope this helps.</P> Tue, 11 Jun 2013 15:40:38 GMT https://community.splunk.com/t5/Getting-Data-In/scripted-input-timestamp-extraction/m-p/59453#M11716 MHibbin 2013-06-11T15:40:38Z