All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use Microsoft Azure Add-on for Splunk _time setup?

rayar
Contributor
‎02-16-2022 08:12 AM

Hi

I want to understand how the _time set using App: Microsoft Azure Add-on for Splunk

source type azure:eventhub

cat ./etc/apps/TA-MS-AAD/default/props.conf

[azure:eventhub]
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1
####################
# Metrics
####################

 

[splunk@ilissplsh04 ~]$ cat ./etc/apps/TA-MS-AAD/local/props.conf
[azure:eventhub]
TRUNCATE=0
[splunk@ilissplsh04 ~]$

I got an event with old _time even the event got indexed today ( indextime)

Labels (1)
Labels
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎02-24-2022 08:43 PM

Try this:

 

[azure:eventhub]
DATETIME_CONFIG = CURRENT

 

props.conf snippet:

DATETIME_CONFIG = [<filename relative to $SPLUNK_HOME> | CURRENT | NONE]
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This setting may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" sets the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.
  * "NONE" leaves the event time set to whatever time was selected by
    the input layer
    * For data sent by Splunk forwarders over the Splunk-to-Splunk protocol,
      the input layer is the time that was selected on the forwarder by
      its input behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen is the
      modification timestamp on the file being read.
    * For other inputs, the time chosen is the current system time when
      the event is read from the pipe/socket/etc.
  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
    identification, so the default event boundary detection
    (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired.  When
    using these settings, use 'SHOULD_LINEMERGE' and/or the 'BREAK_ONLY_*' ,
    'MUST_BREAK_*' settings to control event merging.
* For more information on 'DATETIME_CONFIG' and datetime.xml, see "Configure
  advanced timestamp recognition with datetime.xml" in the Splunk Documentation.
* Default: /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).

https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf

 

0 Karma
Reply

rayar
Contributor
‎03-06-2022 06:07 AM

thanks

I prefer not to change the _time setting before I understand how it originally defined  

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top