Will Outputs.conf reflect the timestamp parameters...

sarvesh_11 · ‎04-04-2019

Hello Splunkers,

I have outputs.conf in my Universal Forwarder at \etc\system\local\ , I am monitoring some log files gave the monitor path in inputs.conf.
Now just like we mention in props.conf about time stamp parameters,
Can i update the same here in Outputs.conf at SplunkUniversalForwarder\etc\system\local\ ?
Ex:
[sourcetype / source]
DATETIME_CONFIG = none
SHOULD_LINEMERGE = true.
Will i be able to get data cooked with these parameters?

Thanks in advance.
Keep Splunkning 🙂

skoelpin · ‎04-04-2019

No.. outputs.conf will only tell the forwarder where to send the data

You should also look into moving it away from etc/system/local and put it in an app instead. Reason being, if you ever had to scale the number of servers with a UF installed, you would need to use the deployment server which drops files in $SPLUNK_HOME/etc/apps/<APP-NAME>. If you have it in etc/system/local then those outputs will override what you sent via the deployment server

Will Outputs.conf reflect the timestamp parameters?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation