Documentation > Splunk > Getting Data In > Tune timestamp recognition for better indexing performance

Getting Data In

 


How to get data into Splunk
Get data from files and directories
Get network events
Get Windows data
Other ways to get stuff in
Recipes
Configure event processing
Configure timestamps
Configure indexed field extraction
Configure host values
Configure source types
Manage event segmentation
Preview your data
Improve the data input process

Tune timestamp recognition for better indexing performance

Contents

Tune timestamp recognition for better indexing performance

To speed up indexing, you can adjust how far ahead into events Splunk's timestamp processor looks, or even turn off the timestamp processor altogether. You do this by editing props.conf.

For general information on editing props.conf for timestamps, see "Configure timestamp recognition".

Adjust timestamp lookahead

Timestamp lookahead determines how far (how many characters) into an event the timestamp processor looks for a timestamp. Adjust how far the timestamp processor looks by setting the MAX_TIMESTAMP_LOOKAHEAD attribute.

The default number of characters that the timestamp processor looks into an event is 150. You can set MAX_TIMESTAMP_LOOKAHEAD to a lower value to speed up indexing. You should particularly do this if the timestamps always occur in the first part of the event.

Example:

This example tells Splunk to look for timetamps in just the first 20 characters of events coming from source foo. 

[source::foo]
MAX_TIMESTAMP_LOOKAHEAD = 20
...

Disable timestamp processor

You can turn off the timestamp processor entirely to improve indexing performance. Turn off timestamp processing for events matching a specified host, source, or sourcetype by setting the DATETIME_CONFIG attribute to NONE. When DATETIME_CONFIG=NONE, Splunk does not look at the text of the event for the timestamp. Instead, it uses the event's "time of receipt"; in other words, the time the event is received via its input. For file-based inputs (such as monitor) this means that Splunk derives the timestamp from the modification time of the input file.

You can also increase Splunk's indexing performance by setting DATETIME_CONFIG to CURRENT. This causes Splunk to assign the current system time to each event at the time of indexing.

Example:

This example turns off timestamp extraction for events that come from the source foo. 

[source::foo]
DATETIME_CONFIG = NONE
...

Note: Both CURRENT and NONE explicitly disable timestamp identification, so the default event boundary detection (BREAK_ONLY_BEFORE_DATE = true) is likely not to work as desired. When using these settings, use SHOULD_LINEMERGE and/or the BREAK_ONLY_* , MUST_BREAK_* settings to control event merging.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Tunetimestampextractionforbetterindexingperformance"

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!