I have this stanza in my props.conf
TZ = US/Eastern
SHOULDLINEMERGE = false
MAXDAYSHENCE = 5
TRUNCATE = 0
DATETIME_CONFIG = NONE
And this setting in inputs.conf
disabled = 0
index = testindex
sourcetype = test_test
why splunk is still trying to parse the timestamp in each line of test.txt instead of using the modified time of test.txt?
Unfortunately, the docs say:
"NONE" will leave the event time set to whatever time was selected by the input layer
For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below).
My solution was to use a batch input:
sourcetype = foo
move_policy = sinkhole
and the sourcetype stanza in props.conf has
DATETIME_CONFIG = NONE.
NOTE batch input will DELETE files as it imports them! So make a copy first!
when test this configuration in splunk data preview, it works very well. all records are using the modification time on the file
but after I add my file into splunk using that sourcetype, splunk tries to parse the timestamp in the log record again.