topic Re: How do you ingest a file with current time? in Getting Data In

How do you ingest a file with current time?

test4u — Tue, 05 Mar 2019 11:42:24 GMT

I have files with a time field that is of a previous date . I want to ingest these files in Splunk, but the indexed time of that file should be the current time and not the time of the file .

How do I do that?

Re: How do you ingest a file with current time?

whrg — Tue, 05 Mar 2019 11:55:55 GMT

Hello @test4u,

You need to set DATETIME_CONFIG to CURRENT in your props.conf:

[yoursourcetype]
DATETIME_CONFIG = CURRENT
...
...

Doing so will "will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor."

You need to do this on your heavy forwarder / indexer. Remember to restart Splunk after making changes to configuration files.

Re: How do you ingest a file with current time?

n0str0m08 — Tue, 05 Mar 2019 11:56:29 GMT

Hi @test4u,

You can set it with DATETIME_CONFIG attribute in props.conf file:

[<sourcetype>]
DATETIME_CONFIG=CURRENT