How to Override Event Time with Index Time in Splunk
Sometimes due to certain reasons we need to have the “index time” as the “event time” of our events, then we should override the “event time” with “index time”.
Step i) Open the terminal and follow the steps below.
You have to add a stanza in the props.conf
# cd /opt/splunk/etc/system/local
# vi props.conf
[source::/users/*_bulk_error.csv]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)
Step ii) If you want to break lines as per your requirement then keep “SHOULD_LINEMERGE = true” to write the policy for breaking before.
“BREAK_ONLY_BEFORE = ^(\x{18}\,\x{18})|(Job\sId.*)”.
SHOULD_LINEMERGE = false
LINE_BREKER = (I\r\n]*)
A few times it might happen that “SHOULD_LINEMERGE = false” does not work as expected , then you should let Splunk know exactly from where , line should be broken.
Hope, this has helped you in achieving the below requirement without fail:
How to Override Event Time with Index Time in Splunk
Happy Splunking !!
