- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: DATETIME_CONFIG = NONE not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DATETIME_CONFIG = NONE not working
I downloaded a free trial version of Splunk Enterprise.
Indexed in a file on the network (updates every minute) so its not local to my PC. File has a timestamp column.
Looks like the indexer is parsing the data in file to pickup time stamp.
So, I tried defining "DATETIME_CONFIG = NONE" in props.conf in the location 'C:\Program Files\Splunk\etc\system\local', still uses timestamp from the file and not the data indexing time.
What do I need to do so that time stamp for every event is the data indexing time or the file generation time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do no put any settings in $SPLUNK_HOME/etc/system/local/props.conf. Instead, create your own app in $SPLUNK_HOME/etc/apps/ArbitraryNameHere/local/props.conf. Make sure that it has only these lines:
[YourSourcetypeHere]
DATETIME_CONFIG = CURRENT
# NOTE, do not use "NONE"
Put this on your Indexer. Restart Splunk. Check only for newly Indexed events; use a search like this:
index=YourIndexHere sourcetype=YourSourcetypeHere | where _indextime == _time
If you get events, then it is working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you restarted Splunk after the change in props.conf?
Does the source, host, or sourcetype defined in the props stanza match? since this is a regex like match it is actually case sensitive 😉
Also remember this will only apply to new incoming events.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes and yes for both the questions. also matched the case. Still doesnt work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file that I am indexing is not local to my PC, its from a server location. May be that's why the changes I make to props.conf doesn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, after some digging, might have found the issue. To add data there are initial 3 options, Upload / Monitor / Forward.
I had selected Monitor ( which is for external sources like Files - HTTP - WMI - TCP/UDP - Scripts
Modular inputs for external data sources). Now instead I selected Upload (from local PC, this also allows you to upload from drives from servers which are mapped in your PC).
When I did this, while adding data it gave me option to 'Set Source Type' (which is not available in Monitor). In there was option to play around with timestamp (use current / parse data). So I didnt need to edit props.conf anymore.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
