Getting Data In
Highlighted

How can we set the index time to be the event time?

Ultra Champion

We would like to set the index time to be the event time (at index time). How can we do it?

Tags (2)
0 Karma
Highlighted

Re: How can we set the index time to be the event time?

Contributor

HI ddrillic,

You can do this by adding this to props.conf on indexers.
[mysourcetype]
DATETIME_CONFIG = CURRENT

Let me know if this helps.

View solution in original post

Highlighted

Re: How can we set the index time to be the event time?

Influencer

If you meant setting the time stamp for an event based on the current system time(the time it is being indexed). You can use DATETIME_CONFIG = CURRENT in props.conf for the sourcetype

Highlighted

Re: How can we set the index time to be the event time?

Motivator

Hello,

I did not realize that I am posting the same answer until I refreshed the browser. But anyway,

Set DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.

DATETIME_CONFIG = <filename relative to $SPLUNK_HOME>
* Specifies which file configures the timestamp extractor, which identifies
  timestamps from the event text.
* This configuration may also be set to "NONE" to prevent the timestamp
  extractor from running or "CURRENT" to assign the current system time to
  each event.
  * "CURRENT" will set the time of the event to the time that the event was
    merged from lines, or worded differently, the time it passed through the
    aggregator processor.
  * "NONE" will leave the event time set to whatever time was selected by
    the input layer
    * For data sent by splunk forwarders over the splunk protocol, the input
      layer will be the time that was selected on the forwarder by its input
      behavior (as below).
    * For file-based inputs (monitor, batch) the time chosen will be the
      modification timestamp on the file being read.
    * For other inputs, the time chosen will be the current system time when
      the event is read from the pipe/socket/etc.
  * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp
    identification, so the default event boundary detection
    (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired.  When
    using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* ,
    MUST_BREAK_* settings to control event merging.
* Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).
Highlighted

Re: How can we set the index time to be the event time?

Explorer

DATETIME_CONFIG = CURRENT appears to read that the time it hits the forwarder is the time it will appear in the seach/index window.

I need to use the actual time of the event that is inside the event as the time, how do i configure this?

Highlighted

Re: How can we set the index time to be the event time?

Engager

Did you ever get resolution to this?

If so it would be great if you could provide the info.

0 Karma