Tune timestamp recognition for better indexing performance
To speed up indexing, you can use the props.conf configuration file to adjust how far ahead into events you want the timestamp processor to look. You can even turn off the timestamp processor altogether.
If you use Splunk Cloud Platform and need to modify timestamp extraction, use a heavy forwarder and perform the configuration on the machines where the heavy forwarders run.
If you use Splunk Enterprise and need to modify timestamp extraction, perform the configuration on your indexer machines. If you are forwarding data, use heavy forwarders and perform the configuration on the machines where the heavy forwarders run. If you use Splunk Cloud Platform and need to modify timestamp extraction, use a heavy forwarder and perform the configuration on the machines where the heavy forwarders run. For information on editing the props.conf configuration file for timestamps, see Configure timestamp recognition.
Adjust timestamp lookahead
Timestamp lookahead determines how many characters into an event the timestamp processor looks for a timestamp. Adjust how far the timestamp processor looks by adjusting the MAX_TIMESTAMP_LOOKAHEAD
setting.
The default number of characters that the timestamp processor looks into an event is 128. You can set the MAX_TIMESTAMP_LOOKAHEAD
setting to a lower value to speed up indexing. Do this if the timestamps always occur in the first part of the event.
This examples looks for timestamps in the first 20 characters of events coming from the source foo
:
[source::foo] MAX_TIMESTAMP_LOOKAHEAD = 20 ...
Disable timestamp processor
You can turn off the timestamp processor entirely to improve indexing performance. Turn off timestamp processing for events that match a specific host, source, or source type by configuring the DATETIME_CONFIG
setting to NONE
. When DATETIME_CONFIG=NONE
, Splunk software doesn't look at the text of the event for the timestamp. Instead, it uses the event time of receipt, or the time the event is received from its input. For file-based inputs such as monitor
, the timestamp comes from the modification time of the input file.
You can also increase indexing performance by setting the DATETIME_CONFIG
setting to CURRENT
, which assigns the current system time to each event at the time of indexing.
This example turns off timestamp extraction for events that come from the source foo
:
[source::foo] DATETIME_CONFIG = NONE ...
Both CURRENT
and NONE
disable timestamp identification, so the default event boundary detection, BREAK_ONLY_BEFORE_DATE = true
, might not work as you expect. When you use these settings, specify SHOULD_LINEMERGE
or the BREAK_ONLY_*
and MUST_BREAK_*
settings to control event merging.
Specify time zones for timestamps | About indexed field extraction |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!