You can do this by adding this to props.conf on indexers.
DATETIME_CONFIG = CURRENT
Let me know if this helps.
If you meant setting the time stamp for an event based on the current system time(the time it is being indexed). You can use DATETIME_CONFIG = CURRENT in props.conf for the sourcetype
I did not realize that I am posting the same answer until I refreshed the browser. But anyway,
DATETIME_CONFIG = CURRENT to assign the current system time to each event as it's indexed.
DATETIME_CONFIG = <filename relative to $SPLUNK_HOME> * Specifies which file configures the timestamp extractor, which identifies timestamps from the event text. * This configuration may also be set to "NONE" to prevent the timestamp extractor from running or "CURRENT" to assign the current system time to each event. * "CURRENT" will set the time of the event to the time that the event was merged from lines, or worded differently, the time it passed through the aggregator processor. * "NONE" will leave the event time set to whatever time was selected by the input layer * For data sent by splunk forwarders over the splunk protocol, the input layer will be the time that was selected on the forwarder by its input behavior (as below). * For file-based inputs (monitor, batch) the time chosen will be the modification timestamp on the file being read. * For other inputs, the time chosen will be the current system time when the event is read from the pipe/socket/etc. * Both "CURRENT" and "NONE" explicitly disable the per-text timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely to not work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging. * Defaults to /etc/datetime.xml (for example, $SPLUNK_HOME/etc/datetime.xml).
DATETIME_CONFIG = CURRENT appears to read that the time it hits the forwarder is the time it will appear in the seach/index window.
I need to use the actual time of the event that is inside the event as the time, how do i configure this?