Hello,
I'm with a problem that started 07/01/2013. The pattern for date usually is month/day/year, but for some reason after 1st of July, it is converting the date 07/03/2013 to 03/07/2013 (Mar 7 2013).
We don't know about any system modification. I tried to change Windows Regional and Language Options, but don't worked. The indexed data is coming from Splunk DB Connect.
Anyone know about any solution?
Thank you very much!
You should be able to solve this by explicitly specifying the TIME_FORMAT
in props.conf for your sourcetype.
See http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configuretimestamprecognition
I tagged like "Splunk DB Connect", because the problem occurs only from events indexed with it. It is not a database field, it is the timestamp from the event.
Yesterday, after a clean install, the first event indexed was 07/03/2013, but the search interpreted the date as 03/07/2013 (Mar 7 2013). Before 07/01 it was working right. Today my summary shows:
Earliest event Thu Mar 7 15:43:00 2013
Latest event Thu Jul 4 09:48:15 2013
There is no such event from March in my Splunk, the earliest date is 07/03. Something is converting this date wrong.
Hope this helps. Thank you for your concern.
Can you be more specific about the problem you're having? Is it that your event dates are being interpreted incorrectly? Is it a display format? You have tagged your question with "Splunk DB Connect", is it a database field or timestamp?