Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Will Outputs.conf reflect the timestamp parameters?

sarvesh_11
Communicator
‎04-04-2019 01:56 AM

Hello Splunkers,

I have outputs.conf in my Universal Forwarder at \etc\system\local\ , I am monitoring some log files gave the monitor path in inputs.conf.
Now just like we mention in props.conf about time stamp parameters,
Can i update the same here in Outputs.conf at SplunkUniversalForwarder\etc\system\local\ ?
Ex:
[sourcetype / source]
DATETIME_CONFIG = none
SHOULD_LINEMERGE = true.
Will i be able to get data cooked with these parameters?

Thanks in advance.
Keep Splunkning 🙂

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎04-04-2019 05:32 AM

No.. outputs.conf will only tell the forwarder where to send the data

You should also look into moving it away from etc/system/local and put it in an app instead. Reason being, if you ever had to scale the number of servers with a UF installed, you would need to use the deployment server which drops files in $SPLUNK_HOME/etc/apps/<APP-NAME>. If you have it in etc/system/local then those outputs will override what you sent via the deployment server

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...