I downloaded a free trial version of Splunk Enterprise.
Indexed in a file on the network (updates every minute) so its not local to my PC. File has a timestamp column.
Looks like the indexer is parsing the data in file to pickup time stamp.
So, I tried defining "DATETIME_CONFIG = NONE" in props.conf in the location 'C:\Program Files\Splunk\etc\system\local', still uses timestamp from the file and not the data indexing time.
What do I need to do so that time stamp for every event is the data indexing time or the file generation time.
Do no put any settings in
$SPLUNK_HOME/etc/system/local/props.conf. Instead, create your own app in
$SPLUNK_HOME/etc/apps/ArbitraryNameHere/local/props.conf. Make sure that it has only these lines:
[YourSourcetypeHere] DATETIME_CONFIG = CURRENT # NOTE, do not use "NONE"
Put this on your Indexer. Restart Splunk. Check only for newly Indexed events; use a search like this:
index=YourIndexHere sourcetype=YourSourcetypeHere | where _indextime == _time
If you get events, then it is working.
Have you restarted Splunk after the change in props.conf?
Does the source, host, or sourcetype defined in the props stanza match? since this is a regex like match it is actually case sensitive 😉
Also remember this will only apply to new incoming events.
ok, after some digging, might have found the issue. To add data there are initial 3 options, Upload / Monitor / Forward.
I had selected Monitor ( which is for external sources like Files - HTTP - WMI - TCP/UDP - Scripts
Modular inputs for external data sources). Now instead I selected Upload (from local PC, this also allows you to upload from drives from servers which are mapped in your PC).
When I did this, while adding data it gave me option to 'Set Source Type' (which is not available in Monitor). In there was option to play around with timestamp (use current / parse data). So I didnt need to edit props.conf anymore.