Perfmon:CPU timestamp

Getting Data In

Hello!

I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp.

The Perfmon:CPU _raw is:

05/07/2020 15:46:37.269 -0300
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=1.887035386881708

My Splunk architecture is: Universal Forwarder -> Heavy Forwarder -> Indexer

I have tried the following configurations on my Heavy Forwarder (props.conf):

[source::Perfmon...]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

[source::Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1

None of this configurations worked and the _time of Perfmon:CPU events already is the original timestamp (first line of _raw).

I also configured a transform to remove the first line of _raw event. Even if the first line is removed, the _time field don't respect DATETIME_CONFIG = CURRENT configuration.

Can anyone help me?

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers, So you searched, “what is the name of the usb key inserted by bob smith?” Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register Is your ...