We have some logs where the Time in the DateTime field is irrelevant. For example, all events have the following time 24:00:99, which can confuse our users. Is there a way to format the DateTime so that it is always %m/%d/%Y 00:00:00? I tried setting that in props.conf on the forwarder, but it didn't work.
@dpanych, do you have this props in your indexer as well? Most of the parsing phase is done at indexer / HF and since timestamp recognition is at parsing phase, try setting your props in indexer/heavy forwarder
http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Configurationparametersandthedatapipeline
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition
@dpanych, do you have this props in your indexer as well? Most of the parsing phase is done at indexer / HF and since timestamp recognition is at parsing phase, try setting your props in indexer/heavy forwarder
http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Configurationparametersandthedatapipeline
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition
Got it to work! It was a combination of your solution and I changed TIME_FORMAT to %D.
Could you use _indexTime? or do you just want the %m/%d/%Y from the event. Please post your prop.
Here is what the field looks like: "LogDate":"01/04/16 24:00:99"
I want it to look like 01/04/16 00:00:00
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS=json
AUTO_KV_JSON=none
MAX_DAYS_AGO = 10000
TIME_PREFIX = "LogDate":"
TIME_FORMAT = %m/%d%/%y
MAX_TIMESTAMP_LOOKAHEAD = 500