Hi
I want to indexing the one month statistic data(sum or avg or max etc) by now time(indexing time). Is it possible?
Now. I have a problem.
I'm indexing one month statistic data(ex. search ... sum(data) earliest=-30d ...) by saved search to index 'summary' every 5m.
Then index time of indexing data is -30day.
descr>> now tim : 2010-12-1 12:00 indexing time range : -30d indexing...... index time : 2010-11-1 12:00. <---- this is my problem. i want to 2010-12-1 12:00.
help me plz...
I'm not sure this is what you want.
You can force splunk to use indexing time for each event by put
[<spec>]
# Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.
DATETIME_CONFIG = CURRENT
in props.conf (see more : ConfigureTimestampRecognition)
thanks for the tips ~