Solved: Why doesn't the time format match my log?

kannu · ‎06-01-2018

Hi splunkers

I have following log entry in file getting indexed on sourcetype name "ncm"

"01/06/2018 12:00:47 : Started LoadBalancer"

This is of 1st june 2018 but in splunk this entry has been taken as 6 january 2018 . Before this entry comes in the log two days ago i have already changed the time format in props.conf

[ncm]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

So in that two days data arrived as per my time format but today 1st june data went to 6th january .

Please help.

FrankVl · ‎06-01-2018

That TIME_FORMAT does not match your log. Your log has / as separator, while your TIME_FORMAT uses -. Which will cause Splunk to revert to auto detection, which indeed can fail on ambiguous dates likes 01/06/2018.

View solution in original post

FrankVl · ‎06-01-2018

That TIME_FORMAT does not match your log. Your log has / as separator, while your TIME_FORMAT uses -. Which will cause Splunk to revert to auto detection, which indeed can fail on ambiguous dates likes 01/06/2018.

kannu · ‎06-01-2018

@FrankVl

So below will work ?

[ncm]
TIME_FORMAT = %d/%m/%Y %H:%M:%S

FrankVl · ‎06-01-2018

Yes, I would expect it would 🙂

Why doesn't the time format match my log?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms