I want to monitor a log file, a file in which there are a lot of time constraints. Date and time is defined within the log file.
Configuration in props.conf for default is set as `DATETIME_CONFIG= \etc\datetime.xml`.
Since i have to monitor the log file, just from 1 source, i am restricted to create any custom app or make any change in the default.
With the current set-up, what i am getting is, Splunk is reading the time from the content of the log file. While the requirement is to get the time at which the file is created or last modified. i.e to ignore the time that Splunk is reading from the events (log file).
I'm not sure, `DATETIME_CONFIG = none` will work if i define this in inputs.conf for that particular universal forwarder.
I am also not sure that this can be defined in Inputs.conf or not.
↧