Solved: Is there a way I can force Splunk to ignore all da...

raysonjoberts · ‎08-26-2022

I have a simple .csv I ingest daily via a monitored file, my .csv has some fields in it that show dates/time, but they do NOT represent the time I want the event indexed at.
I want the _time to show the time the .csv field was ingested and for Splunk to ignore the other fields in the .csv which have dates/time present.

I have created a new source type by cloning .csv and set the timestamp to use "current time", however, Splunk will still prefer to use random dates/times found in field values and only use "current time" when no fields contain any other time information.

I can "fix" this by manually adding a time field in the .csv before ingesting, but I am trying to automate this process as much as possible.

Is there a way I can force Splunk to ignore all date/time values found in a .csv and use ingest time for the _time value?

Thank you in advance!

richgalloway · ‎08-26-2022

Putting DATETIME_CONFIG = CURRENT in the appropriate props.conf stanza should do it. If that fails, try DATETIME_CONFIG = NONE.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-26-2022

Putting DATETIME_CONFIG = CURRENT in the appropriate props.conf stanza should do it. If that fails, try DATETIME_CONFIG = NONE.

---
If this reply helps you, Karma would be appreciated.

raysonjoberts · ‎08-28-2022

That works perfectly, thank you!

Is there a way I can force Splunk to ignore all date/time values found in a csv and use ingest time for the _time value?

CSV

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!