How to Override Event Time with Index Time in Splunk

How to Override  Event Time with  Index Time in Splunk

Sometimes due to certain reasons we need to have the “index time” as the “event time”  of our events, then we should override the “event time” with “index time”.

Step i) Open the terminal and follow the steps below.

You have to add a stanza in the props.conf

# cd /opt/splunk/etc/system/local

#  vi props.conf

[source::/users/*_bulk_error.csv]

DATETIME_CONFIG = CURRENT

SHOULD_LINEMERGE = true

BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)

Step ii)  If you want to break lines as per your requirement then keep “SHOULD_LINEMERGE = true”  to write the policy for breaking before.

“BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)”.

SHOULD_LINEMERGE = false

LINE_BREKER = (I\r\n]*)

A few times it might happen that “SHOULD_LINEMERGE = false” does not work as expected , then you should let Splunk know exactly from where , line should be broken.

Hope, this has helped you in achieving the below requirement without fail:

How to Override Event Time with  Index Time in Splunk

 

Happy Splunking  !!

 

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.