Hello!
I'm trying to change the timestamp (_time) from Perfmon:CPU before index, to use my Splunk Heavy Forwarder date instead of the original event timestamp.
The Perfmon:CPU _raw is:
05/07/2020 15:46:37.269 -0300
collection=CPU
object=Processor
counter="% Processor Time"
instance=_Total
Value=1.887035386881708
My Splunk architecture is: Universal Forwarder -> Heavy Forwarder -> Indexer
I have tried the following configurations on my Heavy Forwarder (props.conf):
[source::Perfmon...]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1
[Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1
[source::Perfmon:CPU]
DATETIME_CONFIG = CURRENT
MAX_TIMESTAMP_LOOKAHEAD = 1
None of this configurations worked and the _time of Perfmon:CPU events already is the original timestamp (first line of _raw).
I also configured a transform to remove the first line of _raw event. Even if the first line is removed, the _time field don't respect DATETIME_CONFIG = CURRENT configuration.
Can anyone help me?
↧