Getting Data In

For some reason, Splunk has started to swap the date format for these servers The data is being imported, but it is going into splunk as the 11th September, rather than the 9th October.

numbpulse
New Member

For some reason, Splunk has started to swap the date format for these servers
The data is being imported, but it is going into splunk as the 11th September, rather than the 9th October.

This in turn is not giving me results of specific host set-up , rest from all hosts splunk is giving data.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It sounds like you are using the default TIME_FORMAT setting, which is the US format of mm/dd/yyyy. If you add TIME_FORMAT attributes for each sourcetype in your props.conf files on your indexers and heavy forwarders, Splunk should read dates correctly. The TIME_FORMAT values should match the way timestamps appear in your data. That's probably something like %d/%m/%Y %H:%M:%S. You will need to start Splunk after editing the props.conf files. Note that the change will only affect new data; data that is already indexed will not change (you may need to re-index it).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...