How to Override Event Time with Index Time in Splunk

How to Override  Event Time with  Index Time in Splunk

Sometimes due to certain reasons we need to have the “index time” as the “event time”  of our events, then we should override the “event time” with “index time”.

Step i) Open the terminal and follow the steps below.

You have to add a stanza in the props.conf

# cd /opt/splunk/etc/system/local

#  vi props.conf




BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)

Step ii)  If you want to break lines as per your requirement then keep “SHOULD_LINEMERGE = true”  to write the policy for breaking before.

“BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)”.


LINE_BREKER = (I\r\n]*)

A few times it might happen that “SHOULD_LINEMERGE = false” does not work as expected , then you should let Splunk know exactly from where , line should be broken.

Hope, this has helped you in achieving the below requirement without fail:

How to Override Event Time with  Index Time in Splunk


Happy Splunking  !!


You can also know about :  Change the splunk index database location

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.