Getting Data In

How can I use Unix _time for inputs.conf monitor?

spraus
Explorer

Hello All,

Let me apologize if this has been clarified before though I cannot seem to find any documentation.

I have a file that is updated ever 60 seconds with the current status of vpn users connections including data transfer bytes, username, and for the important part... Initial connection time. Unfortunately when splunk indexes the modification of the lines in this file it uses the users initial connection time as the _time field.

I would like to ask if anyone knows a way using the inputs.conf file to set the _time value to the current unix timestamp.

Ideally I would expect something along the lines of....
[monitor:///var/log/openvpn*.log]
index=os
disabled = 0
sourcetype = openvpn
interval = 10
_time =now()

Thank you all for any help you can provide;

SPraus

Labels (7)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can tell Splunk what to use for _time in a props.conf file.  Every sourcetype should have props.

[openvpn]
# Use the current time as _time
DATETIME_CONFIG = current
SHOULD_LINEMERGE = false
# Change this as necessary to match your data
LINE_BREAKER = ([\r\n]+)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can tell Splunk what to use for _time in a props.conf file.  Every sourcetype should have props.

[openvpn]
# Use the current time as _time
DATETIME_CONFIG = current
SHOULD_LINEMERGE = false
# Change this as necessary to match your data
LINE_BREAKER = ([\r\n]+)
---
If this reply helps you, Karma would be appreciated.
0 Karma

spraus
Explorer

This worked beautifully... I feel like an idiot, I had tried this but I put it on my search head not my indexer.... Just took another person reminding me I cant do simple things lol.

Thank you for your help!

Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...