Getting Data In

How can we set the index time to be the event time?

ddrillic
Ultra Champion

We would like to set the index time to be the event time (at index time). How can we do it?

Tags (2)
0 Karma
1 Solution

pruthvikrishnap
Contributor

HI ddrillic,

You can do this by adding this to props.conf on indexers.
[mysourcetype]
DATETIME_CONFIG = CURRENT

Let me know if this helps.

View solution in original post

ajhstn
Explorer

DATETIME_CONFIG = CURRENT appears to read that the time it hits the forwarder is the time it will appear in the seach/index window.

I need to use the actual time of the event that is inside the event as the time, how do i configure this?

DRotondo
Engager

Did you ever get resolution to this?

If so it would be great if you could provide the info.

0 Karma

sudosplunk
Motivator

Hello,

I did not realize that I am posting the same answer until I refreshed the browser. But anyway,

Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" will set the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.
  * "NONE" will leave the event time set to whatever time was selected by
    the input layer
    * For data sent by splunk forwarders over the splunk protocol, the input
      layer will be the time that was selected on the forwarder by its input
      behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen will be the
      modification timestamp on the file being read.
    * For other inputs, the time chosen will be the current system time when
      the event is read from the pipe/socket/etc.
  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
    identification, so the default event boundary detection
    (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired.  When
    using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* ,
    MUST_BREAK_* settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).

pradeepkumarg
Influencer

If you meant setting the time stamp for an event based on the current system time(the time it is being indexed). You can use DATETIME_CONFIG = CURRENT in props.conf for the sourcetype

pruthvikrishnap
Contributor

HI ddrillic,

You can do this by adding this to props.conf on indexers.
[mysourcetype]
DATETIME_CONFIG = CURRENT

Let me know if this helps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...