Re: Date problem with indexed events (month / day ...

alvaromoraes · ‎07-03-2013

Hello,

I'm with a problem that started 07/01/2013. The pattern for date usually is month/day/year, but for some reason after 1st of July, it is converting the date 07/03/2013 to 03/07/2013 (Mar 7 2013).

We don't know about any system modification. I tried to change Windows Regional and Language Options, but don't worked. The indexed data is coming from Splunk DB Connect.

Anyone know about any solution?

Thank you very much!

ziegfried · ‎07-04-2013

You should be able to solve this by explicitly specifying the TIME_FORMAT in props.conf for your sourcetype.

See http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configuretimestamprecognition

alvaromoraes · ‎07-04-2013

I tagged like "Splunk DB Connect", because the problem occurs only from events indexed with it. It is not a database field, it is the timestamp from the event.

Yesterday, after a clean install, the first event indexed was 07/03/2013, but the search interpreted the date as 03/07/2013 (Mar 7 2013). Before 07/01 it was working right. Today my summary shows:

Earliest event Thu Mar 7 15:43:00 2013
Latest event Thu Jul 4 09:48:15 2013

There is no such event from March in my Splunk, the earliest date is 07/03. Something is converting this date wrong.

Hope this helps. Thank you for your concern.

Jon_Webster · ‎07-03-2013

Can you be more specific about the problem you're having? Is it that your event dates are being interpreted incorrectly? Is it a display format? You have tagged your question with "Splunk DB Connect", is it a database field or timestamp?

Date problem with indexed events (month / day to day / month)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases