Archive

DATETIME_CONFIG = NONE not working

Explorer

I downloaded a free trial version of Splunk Enterprise.
Indexed in a file on the network (updates every minute) so its not local to my PC. File has a timestamp column.
Looks like the indexer is parsing the data in file to pickup time stamp.
So, I tried defining "DATETIME_CONFIG = NONE" in props.conf in the location 'C:\Program Files\Splunk\etc\system\local', still uses timestamp from the file and not the data indexing time.
What do I need to do so that time stamp for every event is the data indexing time or the file generation time.

0 Karma

Esteemed Legend

Do no put any settings in $SPLUNK_HOME/etc/system/local/props.conf. Instead, create your own app in $SPLUNK_HOME/etc/apps/ArbitraryNameHere/local/props.conf. Make sure that it has only these lines:

[YourSourcetypeHere]
DATETIME_CONFIG = CURRENT
# NOTE, do not use "NONE"

Put this on your Indexer. Restart Splunk. Check only for newly Indexed events; use a search like this:

index=YourIndexHere sourcetype=YourSourcetypeHere | where _indextime == _time

If you get events, then it is working.

0 Karma

SplunkTrust
SplunkTrust

Have you restarted Splunk after the change in props.conf?
Does the source, host, or sourcetype defined in the props stanza match? since this is a regex like match it is actually case sensitive 😉
Also remember this will only apply to new incoming events.

cheers, MuS

0 Karma

Explorer

Yes and yes for both the questions. also matched the case. Still doesnt work.

0 Karma

Explorer

The file that I am indexing is not local to my PC, its from a server location. May be that's why the changes I make to props.conf doesn't work?

0 Karma

Explorer

ok, after some digging, might have found the issue. To add data there are initial 3 options, Upload / Monitor / Forward.
I had selected Monitor ( which is for external sources like Files - HTTP - WMI - TCP/UDP - Scripts
Modular inputs for external data sources). Now instead I selected Upload (from local PC, this also allows you to upload from drives from servers which are mapped in your PC).
When I did this, while adding data it gave me option to 'Set Source Type' (which is not available in Monitor). In there was option to play around with timestamp (use current / parse data). So I didnt need to edit props.conf anymore.

0 Karma