Getting Data In

timestamp in file inputs is the wrong format

daverodgers
Explorer

hi all.

I have searched splunk answers and seen various people commenting on timestamp formats, but I can't find exactly what I'm seeing, so I thought I'd ask the question.

I am trying to create a new file input based on a txt file that gets updated with a timestamped event.

When I preview the file, it highlights the timestamp in my data with a green highlight, which I presume shows me that it has identified the time/date.

I'm in the UK so my data is DD/MM: 01/06/2015 13:58:47

However, on the right hand side of the preview screen where it shows the "event time distribution" as a small graph, the format is MM/DD.

Why is it changing this?

What is more bizarre is that I set up these file inputs last month and they were working fine. Date format was dd/mm etc and I had no problems. But when we ticked over to the 1st of June, literally at midnight. The inputs stopped working.

I don't know of any change to our environment that would cause this. We haven't updated splunk in any way recently. The files are being updated in the same way every 5 minutes, and the raw data in the files is still correct and hasn't changed.

Also, it isn't browser locale related. I am using the same url I always use. I can use it with or without en-gb in the url, and the same happens with these file inputs.

I know this is going to be very hard to provide a solution, but I've checked everything I can think of so I'm just looking for any ideas that I have possibly overlooked.

We are using splunk 6.0.2 Splunk Build196940

thanks guys!

Dave

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S in the relevant stanza of your props.conf file.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodcock
Esteemed Legend

This has been discussed ad-nauseam in this other question (including the answer and many layers of debug):

http://answers.splunk.com/answers/241800/why-am-i-unable-to-search-previously-indexed-data.html#comm...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S in the relevant stanza of your props.conf file.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...