https://community.splunk.com/t5/Splunk-Search/Event-timestamp-behavior-is-inconsistent-when-DATETIME-CONFIG/m-p/491483#M194243 <P>I want to use a file's modification timestamp as the Splunk timestamp for the events it contains.<BR /> Accordingly, I've set "DATETIME_CONFIG = NONE" in props.conf for the sourcetype. This props.conf is distributed to the forwarder and indexers.. </P> <P>The files are read with a "monitor" input on the forwarder. <BR /> Two different behaviors;<BR /> i) If Splunk on the forwarder is "not running" when the file is written, the file's events are timestamped as expected: i.e. the timestamp of the event matches the Modify time as reported by "stat" on the file.</P> <P>ii) However, if Splunk is "running" when the file is written, the file's events are timestamped using "change time" of the input file.</P> <P>Please advise how I can ensure that a file's events are always timestamped according to the file's modification time, regardless of whether the Splunk forwarder is running at the time the file is written.</P> Fri, 24 Jan 2020 22:43:26 GMT sylim_splunk 2020-01-24T22:43:26Z https://community.splunk.com/t5/Splunk-Search/Event-timestamp-behavior-is-inconsistent-when-DATETIME-CONFIG/m-p/491483#M194243 <P>I want to use a file's modification timestamp as the Splunk timestamp for the events it contains.<BR /> Accordingly, I've set "DATETIME_CONFIG = NONE" in props.conf for the sourcetype. This props.conf is distributed to the forwarder and indexers.. </P> <P>The files are read with a "monitor" input on the forwarder. <BR /> Two different behaviors;<BR /> i) If Splunk on the forwarder is "not running" when the file is written, the file's events are timestamped as expected: i.e. the timestamp of the event matches the Modify time as reported by "stat" on the file.</P> <P>ii) However, if Splunk is "running" when the file is written, the file's events are timestamped using "change time" of the input file.</P> <P>Please advise how I can ensure that a file's events are always timestamped according to the file's modification time, regardless of whether the Splunk forwarder is running at the time the file is written.</P> Fri, 24 Jan 2020 22:43:26 GMT https://community.splunk.com/t5/Splunk-Search/Event-timestamp-behavior-is-inconsistent-when-DATETIME-CONFIG/m-p/491483#M194243 sylim_splunk 2020-01-24T22:43:26Z https://community.splunk.com/t5/Splunk-Search/Event-timestamp-behavior-is-inconsistent-when-DATETIME-CONFIG/m-p/491484#M194244 <P>This appears to be caused by Kernel bugs as this has been reproduced constantly with Splunk version 7.2.4.2 and Linux, 3.10.0-957.12.1.el7.x86_64. Now with the latest version as of this writing, 3.10.0-1062.4.1.el7.x86_64 it works fine as described in the splunk doc. </P> <P>It's been always reproduced with Ubuntu 16.04.1 but not with Ubuntu 16.04.5 - whoever sees this issue it'd be worth while to upgrade the OS kernel.</P> Wed, 30 Sep 2020 03:48:59 GMT https://community.splunk.com/t5/Splunk-Search/Event-timestamp-behavior-is-inconsistent-when-DATETIME-CONFIG/m-p/491484#M194244 sylim_splunk 2020-09-30T03:48:59Z