This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1
You can tune timestamping for better performance by editing props.conf
If your data is being indexed in real time, and you want to use indexing time as the timestamp, you can increase Splunk's overall performance by turning off timestamp lookahead. Under this configuration, Splunk will no longer search through events or sources for time or date values. You can also turn off timestamps for a specific host, source or sourcetype, as well.
To turn off timestamp lookahead for a particular source, sourcetype or host, edit the stanza in $SPLUNK_HOME/etc/bundles/local/props.conf.
[<spec>] MAX_TIMESTAMP_LOOKAHEAD = 0
<spec> can be:
You can also increase performance by setting MAX_TIMESTAMP_LOOKAHEAD lower (the default value is 150). You should do this if your timestamps occur in the first part of your event. The number following MAX_TIMESTAMP_LOOKAHEAD denotes the number of characters to search through for a timestamp.