Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk to force the date of events with current date instead of file date

Raja_Selvaraj
Explorer
‎07-22-2025 08:54 AM

Hi Everyone,

Please help me regarding this ask - i need the splunk to show the respective events with the current date instead of the date when the file being placed in the host. For instance, like the file been placed in server dated 17th july and the events are showing with date 17th july instead i want with the current date. 

If the current date 22nd July, then event's date should mentioned as 22nd July and likewise.

I have tried with DATETIME_CONFIG = CURRENT and DATETIME_CONFIG = NONE in props.conf but it doesn't work.

Raja_Selvaraj_0-1753199486641.png

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎07-23-2025 03:29 AM

@Raja_Selvaraj 

DATETIME_CONFIG = CURRENT should work normally.
But observed few times with monitor input, Splunk still scans the event content or file metadata (modtime) to determine _time, even if DATETIME_CONFIG = CURRENT is set.

Are you using monitor input?

But you can use the modification at search time.

Eg:

BASE_SEARCH
| eval _time = now()


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-23-2025 02:51 AM

Hi @Raja_Selvaraj 

Can you confirm which server(s) you have put the DATETIME_CONFIG = CURRENT on and what type of instance this is? (Universal Forwarder / Heavy Forwarder / Indexer) ?

This needs to be on the first full deployment (HF/Indexer) that the data hits as this is where it is parsed

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-22-2025 02:22 PM

If you want to modify displayed time so that whenever you're searching for the event you're being shown current time, you have to do it in search time.

<your_search>
| eval _time=now()

Question is why would you do that. Time is one of the main and most important metadata about the event.

And it has nothing to do with DATETIME_CONFIG - that setting only works during event ingestion. It modifies what timestamp will be assigned to the event. But each event when it's indexed gets its own timestamp and you can't modify the indexed timestamp. You can only "cheat" during searching by overwriting the value as I've shown above.

Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎07-22-2025 10:48 AM

Hi @Raja_Selvaraj 

DATETIME_CONFIG = CURRENT it should work as expected.

Can you please run btool command to check if DATETIME_CONFIG taking effect or any config overriding it.

splunk btool props list <sourcetype> --debug  

above comand should list datetime_config 

sample format in props.conf 
[<sourcetype>]
DATETIME_CONFIG=CURRENT 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...