Turn off timestamp parsing

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

etc/bundles/local/props.conf

Turn off timestamp parsing

One easy way to speed up Splunk's indexing performance is to skip timestamp parsing for each event. Instead, Splunk will just use the current system time as the timestamp of each incoming event.

etc/bundles/local/props.conf

[source::source_not_to_timestamp]
DATETIME_CONFIG = CURRENT

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.1/Admin/TurnOffTimestampParsing"

« Turn off segment indexing Change the characters that separate segments within events »

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Turn off timestamp parsing

Contents

Turn off timestamp parsing

etc/bundles/local/props.conf

Comments