Splunk 对事件Event 中一般情况是不需要 特殊的时间戳 处理的,但是有些事件event 中有需要对时间戳 有要求,有的,需要Splunk 去读event 中的时间,有的需要强制 对 event 的时间戳不做处理,那么这个时候,就需要设定特殊的参数来对这个进行控制:
这个控制文件就是 props.conf
关于这个配置的触发:
The timestamp processor
On a Splunk Enterprise instance, you can find the timestamp processor at $SPLUNK_HOME/etc/datetime.xml by default. You do not need to edit this file normally, unless you work with unusual custom timestamps. You cannot edit this file on a Splunk Cloud Platform instance because you do not have access to the Splunk Cloud Platform file system.
If you need to configure timestamp recognition, you can make changes by editing timestamp settings in the props.conf configuration file, as described in this topic.
If you have a custom timestamp that can't be handled by configuring the props.conf file, substitute your own timest