Splunk Search

Date Format Oddly Changes

talismanc
New Member

Hi All

I have been using Splunk for a couple of Months now, last month i noticed that the date format was being interpretted differently at the start of the month, i changed some setting and re-indexed and all seemed well. However, the same has happened at the beginning of this month with my data being interpretted in M/D/Y instead of D/M/Y. Again, i re-indexed without changing anything and date was formatted correctly, but new data added is again wrong.

It seems like the initial Bulk index of data is fine and then subsequent "live" indexing gets it wrong when the first day is beneath 12. I am using v4.2.2 and just monitoring a standard text file log like below:

Date Time Ext CO Dial Number Ring Duration Acc code CD

24/07/11 21:44 226 03 00447000000000 00:00'05

25/07/11 07:12 226 04 00447800000000 00:00'05

25/07/11 08:28 108 04 00447800000063 00:00'06

Any help would be much appreciated.

Best Regards

Chris

Tags (2)
0 Karma

talismanc
New Member

Hmmm, i think i may have solved it by adding the TIME_FORMAT configuration to the default section of the prop.conf file. Seems to be working now. Should have put it there anyway!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

okay, then you should accept this answer so that other people will know what to do.

0 Karma

talismanc
New Member

Hi

Thanks for the reply, yes, this was added into a local props.conf file:

[source::C:\\CallLoggerOutput.txt]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %d/%m/%Y %H:%M

This was last month and im pretty sure this was the only think i changed. The thing is, i dont think it actually changed anything, as i re-indexed the data and all looked fine. Was only when i noticed some odd time stamps this month i realised it hadnt quite worked!

0 Karma

Starlette
Contributor

So i presume you changed some settings according the manual?
Can you post your config here?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...