Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Perfmon:CPU timestamp

douglasmsouza
Explorer
‎05-07-2020 12:03 PM

Hello!

I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp.

The Perfmon:CPU _raw is:

05/07/2020 15:46:37.269 -0300
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=1.887035386881708

My Splunk architecture is: Universal Forwarder -> Heavy Forwarder -> Indexer

I have tried the following configurations on my Heavy Forwarder (props.conf):

[source::Perfmon...]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[source::Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

None of this configurations worked and the _time of Perfmon:CPU events already is the original timestamp (first line of _raw).

I also configured a transform to remove the first line of _raw event. Even if the first line is removed, the _time field don't respect DATETIME_CONFIG = CURRENT configuration.

Can anyone help me?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...