#Splunk props conf how to#
You can also configure where to look in an event for a timestamp, what time zone to use for events, or how to deal with timestamps of varying currency.įollow these steps to configure timestamp recognition:
For example, you can use the TIME_FORMAT setting to specify a format for the timestamp that is based on the strptime() string to time-structure conversion function. The nf file has several settings for timestamp processing. See the nf specification file in the Admin Manual. With this file, you can control how the Splunk platform processes the timestamps that it sees in incoming events.
To configure how the Splunk platform recognizes timestamps, edit the nf configuration file. You can edit timestamp properties on a heavy forwarder to ensure that Splunk Cloud Platform sees and uses the proper timestamps, or you can edit them directly on a Splunk Enterprise instance.
This setting specifies the file that the Splunk platform uses for timestamp processing.Įdit timestamp properties in the nf configuration file If you have a custom timestamp that can't be handled by configuring the nf file, substitute your own timestamp processor with the DATETIME_CONFIG setting. If you need to configure timestamp recognition, you can make changes by editing timestamp settings in the nf configuration file, as described in this topic. You cannot edit this file on a Splunk Cloud Platform instance because you do not have access to the Splunk Cloud Platform file system. You do not need to edit this file normally, unless you work with unusual custom timestamps. On a Splunk Enterprise instance, you can find the timestamp processor at $SPLUNK_HOME/etc/datetime.xml by default. In cases where you have to forward data, you must configure a heavy forwarder to handle these changes. On Splunk Enterprise instances, if you need to modify timestamp extraction, specify the configuration on the indexers.You cannot make these configurations with the universal forwarder or with Splunk Cloud Platform directly. The heavy forwarder lets you specify configurations that extract the timestamps. If you have Splunk Cloud Platform and need to modify timestamp extraction, use a heavy forwarder to ingest the data and send it to the Splunk Cloud Platform instance.This option is available on both Splunk Cloud Platform and Splunk Enterprise under the following conditions: See Assign the correct source types to your data. This option is available on Splunk Cloud Platform only if you upload a file directly to the instance. Once you're happy with the results, you can save the changes to a new source type and then apply that source type to your data inputs. Use the Set Source Type page in Splunk Web to interactively adjust timestamps on sample data.You can configure timestamp extraction in these ways: However, with some sources and distributed deployments, you might need to configure how the Splunk platform extracts timestamps to ensure that the timestamps have the proper format. The Splunk platform recognizes and extracts timestamps correctly. Most events do not require special timestamp handling.
0 kommentar(er)
