topic Re: How can we set the index time to be the event time? in Getting Data In

How can we set the index time to be the event time?

ddrillic — Mon, 30 Jul 2018 18:18:10 GMT

We would like to set the index time to be the event time (at index time). How can we do it?

Re: How can we set the index time to be the event time?

pruthvikrishnap — Mon, 30 Jul 2018 18:28:11 GMT

HI ddrillic,

You can do this by adding this to props.conf on indexers.
[mysourcetype] DATETIME_CONFIG = CURRENT
Let me know if this helps.

Re: How can we set the index time to be the event time?

pradeepkumarg — Mon, 30 Jul 2018 18:28:55 GMT

If you meant setting the time stamp for an event based on the current system time(the time it is being indexed). You can use DATETIME_CONFIG = CURRENT in props.conf for the sourcetype

Re: How can we set the index time to be the event time?

sudosplunk — Mon, 30 Jul 2018 18:36:07 GMT

Hello,

I did not realize that I am posting the same answer until I refreshed the browser. But anyway,

Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" will set the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.
  * "NONE" will leave the event time set to whatever time was selected by
    the input layer
    * For data sent by splunk forwarders over the splunk protocol, the input
      layer will be the time that was selected on the forwarder by its input
      behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen will be the
      modification timestamp on the file being read.
    * For other inputs, the time chosen will be the current system time when
      the event is read from the pipe/socket/etc.
  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
    identification, so the default event boundary detection
    (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired.  When
    using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* ,
    MUST_BREAK_* settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).

Re: How can we set the index time to be the event time?

ajhstn — Sun, 02 Sep 2018 21:46:45 GMT

DATETIME_CONFIG = CURRENT appears to read that the time it hits the forwarder is the time it will appear in the seach/index window.

I need to use the actual time of the event that is inside the event as the time, how do i configure this?

Re: How can we set the index time to be the event time?

DRotondo — Wed, 22 Jan 2020 20:09:02 GMT

Did you ever get resolution to this?

If so it would be great if you could provide the info.