Does anyone know how we can use the timestamp of the file from the operating system as the timestamp for events? For example if I have 1000 line csv files that were created on Windows at 1:50 PM and then another file at 4:00 PM and another file at 7:00 PM how can I tell splunk to use that timestamp for the events rather than searching the CSV file trying to find a timestamp? Because there may be multiple fields that have a timestamp but I just need to develop my searches to know when the file was created.
asked 07 Mar '11, 00:14
Splunk has a series of rules it goes through in determining how to timestamp an event from any source.
Splunk doc link to how timestamps are auto-recognized:
It sounds like option #5 in that doc is where you are trying to go:
I don't see a way of explicitly forcing Splunk to go to that option, but you may be able to influence it into thinking there is NO valid timestamp within the file. Maybe with something like this (props.conf):
This takes advantage of the TIME_PREFIX rule of "If the TIME_PREFIX cannot be found in the event text, timestamp extraction does not take place." Obviously, your input file can't have a line in it that says only "this should not ever happen"
One option that is easily settable is using the "current time" always. This is the time Splunk indexes the event, not necessarily the time of the file. See related question/answer at:
answered 07 Mar '11, 19:27
what dwaddle says will totally work, but this is a simpler method:
just turn off the timestamping and Splunk will just use the modtime of the file.
answered 07 Mar '11, 19:36
answered 26 Jan '12, 01:17