- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is props.conf current date not working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is props.conf current date not working?
test_id": "CHICKEN-0123456",
"last_test_date": "2023-09-04 12:34:00"
with such above file and todays date 09/25/2023
once it is monitored by the splunk, I cannot search this data with the 'current' date or even current time; 15 or 60mintues.
instead it tends to read the dates off of the file which is the 'last test date' = 09/24/2023 therefore from the search I have to put either on that day or 1day to find the data.
Props.conf currently set as
DATETIME_CONFIG = CURRENT
I want the file to be 'read' today if it was uploaded today. (or 15 min if it was uploaded within 15min) NOT going off of the date in the file.
Gurus hop in plesae.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. First things first - where and how do you ingest the files and where do you have the props.conf with the DATETIME_CONFIG setting? And are you sure it is being active?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forwarder is forwarding (ex) /var/log/test.txt
and the file IS test.txt
and it is active because I can see the files from the search, except the dates are not feeding.
props.conf is seating on the /etc/apps/test/local/props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. But on which component did you put this props.conf file? On the UF? Then it's not the proper place for it. UF does not do parsing (except for indexed extractions but it's not the case I suppose) and DATETIME_CONFIG is a setting regarding parsing stage. So put it onto your indexer(s) or intermediate HF(s) if you have them.
Also - did you configure DATETIME_CONFIG for the proper sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what is the timezone your server is in.
current_time takes current system time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's EST.
also that is not the problem. it's the date also.
docuemtn name is 09042023_test.txt
and inside it has something like
ID= 101010
processed_date=09/03/2023
and today's date is 09/05/2023
but when the forwarder forwards, it takes the date inside of the document resulting the search has to go 2 days back to find the data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anything new you've found? still couldn't solved the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share your props.conf file.
i think you are forcing splunk to take _time as processedtime in logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's really nothing to share honestly.
[test]
DATETIME_CONFIG = current
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
