https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51462#M9875 <P>Is there anyway to ignore the events time stamp, and set it to the current system time (at the event's index time)?</P> <P>I'm using light weight forwarders so I assume this would need to be done on the indexer. </P> Tue, 01 Mar 2011 03:06:58 GMT carmackd 2011-03-01T03:06:58Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51462#M9875 <P>Is there anyway to ignore the events time stamp, and set it to the current system time (at the event's index time)?</P> <P>I'm using light weight forwarders so I assume this would need to be done on the indexer. </P> Tue, 01 Mar 2011 03:06:58 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51462#M9875 carmackd 2011-03-01T03:06:58Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51463#M9876 <P>I was looking through the documentation and found the answer shortly after I posted.</P> <P>If your events are indexed in real time, increase Splunk's overall indexing performance by turning off timestamp lookahead (set MAX_TIMESTAMP_LOOKAHEAD = 0). This causes Splunk to not look into event's for a timestamp, and sets an event's timestamp to be its indexing time (using current system time). </P> Tue, 01 Mar 2011 03:12:26 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51463#M9876 carmackd 2011-03-01T03:12:26Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51464#M9877 <P>You should be able to do this using props.conf on the indexer (since you're using LWF)</P> <PRE><CODE>[mysourcetype] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>See <A href="http://www.splunk.com/base/Documentation/latest/Admin/Propsconf" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Propsconf</A> for more info.</P> Tue, 01 Mar 2011 03:14:37 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51464#M9877 dwaddle 2011-03-01T03:14:37Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51465#M9878 <P>Thanks, this worked, but MAX_TIMESTAMP_LOOKAHEAD = 0 did not, which confuses me. Why would the documentation say setting the MAX_TIMESTAMP_LOOKAHEAD to 0 will cause splunk not to look into the event for a timestamp, and use the the current system time as the timestamp? I did not see this behavior when I used this configuration.</P> Mon, 28 Sep 2020 09:25:44 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51465#M9878 carmackd 2020-09-28T09:25:44Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51466#M9879 <P>Can you post a link to where you found that in the docs? I didn't see it in the reference for props.conf, which confused me a little.</P> Tue, 01 Mar 2011 23:31:36 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51466#M9879 dwaddle 2011-03-01T23:31:36Z https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51467#M9880 <P>Docs scrubbed. Sorry, old error. Passes smell test but was incorrect.</P> Wed, 02 Mar 2011 05:09:49 GMT https://community.splunk.com/t5/Getting-Data-In/Using-index-time-as-time-stamp/m-p/51467#M9880 jrodman 2011-03-02T05:09:49Z