Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is props.conf current date not working?

yohhpark
Path Finder
‎09-05-2023 08:37 AM

test_id": "CHICKEN-0123456",
"last_test_date": "2023-09-04 12:34:00"

 

with such above file and todays date 09/25/2023

 

once it is monitored by the splunk, I cannot search this data with the 'current' date or even current time; 15 or 60mintues.

 

instead it tends to read the dates off of the file which is the 'last test date' = 09/24/2023 therefore from the search I have to put either on that day or 1day to find the data.

 

Props.conf currently set as 

DATETIME_CONFIG = CURRENT

 

I want the file to be 'read' today if it was uploaded today. (or 15 min if it was uploaded within 15min) NOT going off of the date in the file.

 

Gurus hop in plesae.

Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-05-2023 01:29 PM

Ok. First things first - where and how do you ingest the files and where do you have the props.conf with the DATETIME_CONFIG setting? And are you sure it is being active?

Reply

yohhpark
Path Finder
‎09-05-2023 01:44 PM

forwarder is forwarding (ex) /var/log/test.txt

and the file IS test.txt

and it is active because I can see the files from the search, except the dates are not feeding.

props.conf is seating on the /etc/apps/test/local/props.conf

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-05-2023 10:37 PM

OK. But on which component did you put this props.conf file? On the UF? Then it's not the proper place for it. UF does not do parsing (except for indexed extractions but it's not the case I suppose) and DATETIME_CONFIG is a setting regarding parsing stage. So put it onto your indexer(s) or intermediate HF(s) if you have them.

Also - did you configure DATETIME_CONFIG for the proper sourcetype?

0 Karma
Reply

Manojbh_splunk
Loves-to-Learn
‎09-05-2023 01:55 PM

what is the timezone your server is in.

current_time takes current system time

0 Karma
Reply

yohhpark
Path Finder
‎09-05-2023 02:17 PM

it's EST.

also that is not the problem. it's the date also.

 

docuemtn name is 09042023_test.txt

and inside it has something like

ID= 101010

processed_date=09/03/2023

 

and today's date is 09/05/2023

 

 

but when the forwarder forwards, it takes the date inside of the document resulting the search has to go 2 days back to find the data

0 Karma
Reply

yohhpark
Path Finder
‎10-03-2023 08:00 AM

anything new you've found? still couldn't solved the issue.

0 Karma
Reply

Manojbh_splunk
Loves-to-Learn
‎09-06-2023 12:16 AM

Can you share your props.conf file.

i think you are forcing splunk to take _time as processedtime in logs

0 Karma
Reply

yohhpark
Path Finder
‎09-06-2023 08:25 AM

it's really nothing to share honestly.

 

[test]

DATETIME_CONFIG = current

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...