Tune Timestamping
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Tune Timestamping
You can tune timestamping for better performance by editing props.conf
Turn off timestamp lookahead
If your data is being indexed in real time, and you want to use indexing time as the timestamp, you can increase Splunk's overall performance by turning off timestamp lookahead. Under this configuration, Splunk will no longer search through events or sources for time or date values. You can also turn off timestamps for a specific host, source or sourcetype, as well.
To turn off timestamp lookahead for a particular source, sourcetype or host, edit the stanza in $SPLUNK_HOME/etc/bundles/local/props.conf.
[<spec>] MAX_TIMESTAMP_LOOKAHEAD = 0
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
You can also increase performance by setting MAX_TIMESTAMP_LOOKAHEAD lower (the default value is 150). You should do this if your timestamps occur in the first part of your event. The number following MAX_TIMESTAMP_LOOKAHEAD denotes the number of characters to search through for a timestamp.
This documentation applies to the following versions of Splunk: 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.