topic Re: How can I configure splunk to read dates in dd/mm/yyyy format? in Getting Data In

How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Mon, 29 Sep 2014 04:36:55 GMT

how do i get splunk to read the date as dd/mm/yyyy, it is currently reading mm/dd/yyyy

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

MarioM — Mon, 29 Sep 2014 05:45:45 GMT

you need to set the timestamp format in your props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition#Edit_timestamp_properties_in_props.conf

[<spec>]
TIME_FORMAT = <strptime-style format>

In this syntax, spec can be:

<sourcetype>, the source type of an event.
host::<host>, where <host> is the host value for an event.
source::<source>, where <source> is the source value for an event.

In your example it should be:

[<spec>]
TIME_FORMAT = %d/%m/%Y

And this is an index time parameter thus requires splunk restart and will only apply to new data.

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Wed, 01 Oct 2014 04:14:17 GMT

i tried this from what i found on other threads but its not working. i search for all time_format and change all to %d/%m/%y, restart but still no different

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

MarioM — Wed, 01 Oct 2014 07:11:17 GMT

can you paste your props.conf configuration? an which splunk version do you have?

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

markthompson — Wed, 01 Oct 2014 07:57:46 GMT

Have you added new data, as Mario stated, IT ONLY APPLIES TO NEW DATA

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Tue, 07 Oct 2014 01:29:19 GMT

yes i remove the old directories and data, re added it.

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Mon, 28 Sep 2020 17:48:36 GMT

i'm using version 6.1.2

when i go into props.config, i did a search for time_format, next i change ALL "time_format = %m/ %d/ %y" to "time_format = %d/ %m/ %y"

where do i input the "time_format = "

Please advise

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

linu1988 — Tue, 07 Oct 2014 04:28:01 GMT

Guess you are not putting them in lowercase as you mentioned here...

Make everything in Caps , as per the documentations provided.

If you ever have any doubt always append all the configurations in etc\system\local\props.conf

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

MarioM — Tue, 07 Oct 2014 05:35:40 GMT

can you post your props.conf that we can check the syntax?
As well if you re-add the same data splunk will not re-index it then you need to do (BEWARE THIS WILL PERMANENTLY DELETE THE DATA) splunk clean eventdata -index my_index

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Tue, 07 Oct 2014 06:57:51 GMT

i am going to install splunk a new workstation and redo the whole process
is there an email address for me to contact you? i can send you my props.conf

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

MarioM — Tue, 07 Oct 2014 07:24:47 GMT

as some other splunk users might run in similar issue it is better to continue here for this thread to be profitable to them

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Tue, 07 Oct 2014 08:44:37 GMT

i just notice that if i upload an index with the date 13/08/2014, it will be able to read in dd/mm/yyyy.
which means if it is not 1 to 12, splunk will read it in dd/mm/yyyy.

and if it is 1/09/2014, it will read it as mm/dd/yyyy (9 jan 2014)

i am unable to copy the props.conf, too many characters. which part do i need to copy over?

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Tue, 07 Oct 2014 09:29:21 GMT

i think i manage to solve the problem. apparently, there is this datetime.xml file in splunk\etc
by default there was alot of definition is "month, day, year". so i change all of it to "day, month, year" and VIOLA!! it work. thanks for MarioM help too.

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jrodman — Mon, 13 Oct 2014 07:41:09 GMT

This is not a good solution, as you are changing the way splunk guesses timestamps for your entire install.
In addition TIME_FORMAT will produce better performance and more stable results.

If you wish to create a custom datetime.xml, you should reference it within your sourcetype in props.conf.

Re: How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong — Mon, 13 Oct 2014 07:44:42 GMT

well. i cant seem to get the props.conf command to work. i'm not a programmer and have very very limited coding knowledge.