Perfmon:CPU timestamp

Getting Data In

Hello!

I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp.

The Perfmon:CPU _raw is:

05/07/2020 15:46:37.269 -0300
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=1.887035386881708

My Splunk architecture is: Universal Forwarder -> Heavy Forwarder -> Indexer

I have tried the following configurations on my Heavy Forwarder (props.conf):

[source::Perfmon...]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[source::Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

None of this configurations worked and the _time of Perfmon:CPU events already is the original timestamp (first line of _raw).

I also configured a transform to remove the first line of _raw event. Even if the first line is removed, the _time field don't respect DATETIME_CONFIG = CURRENT configuration.

Can anyone help me?

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Are you a member of the Splunk Community?