All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use Microsoft Azure Add-on for Splunk _time setup?

rayar
Contributor
‎02-16-2022 08:12 AM

Hi

I want to understand how the _time set using App: Microsoft Azure Add-on for Splunk

source type azure:eventhub

cat ./etc/apps/TA-MS-AAD/default/props.conf

[azure:eventhub]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
####################
# Metrics
####################

 

[splunk@ilissplsh04 ~]$ cat ./etc/apps/TA-MS-AAD/local/props.conf
[azure:eventhub]
TRUNCATE=0
[splunk@ilissplsh04 ~]$

I got an event with old _time even the event got indexed today ( indextime)

Labels (1)
Labels
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎02-24-2022 08:43 PM

Try this:

 

[azure:eventhub]
DATETIME_CONFIG = CURRENT

 

props.conf snippet:

DATETIME_CONFIG = [<filename relative to $SPLUNK_HOME> | CURRENT | NONE]
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This setting may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" sets the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.
  * "NONE" leaves the event time set to whatever time was selected by
    the input layer
    * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol,
      the input layer is the time that was selected on the forwarder by
      its input behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen is the
      modification timestamp on the file being read.
    * For other inputs, the time chosen is the current system time when
      the event is read from the pipe/socket/etc.
  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
    identification, so the default event boundary detection
    (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired.  When
    using these settings, use 'SHOULD_LINEMERGE' and/or the 'BREAK_ONLY_*' ,
    'MUST_BREAK_*' settings to control event merging.
* For more information on 'DATETIME_CONFIG' and datetime.xml, see "Configure
  advanced timestamp recognition with datetime.xml" in the Splunk Documentation.
* Default: /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf

 

0 Karma
Reply

rayar
Contributor
‎03-06-2022 06:07 AM

thanks

I prefer not to change the _time setting before I understand how it originally defined  

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...