topic Re: timestamp format of the input files in Getting Data In

timestamp format of the input files

newbiesplunk — Fri, 01 Aug 2014 07:41:27 GMT

Hi,
when i forward my input files (c:\data) from server A to Splunk Head at ServerB, the date format was correct for all input files as of yesterday. But today, when the date is 1/8/2014 (dd/mm/yyyy), some files from the server A is recognised as 8/1/2014 (dd/mm/yyyy) and some recognised as 1/8/2014 (dd/mm/yyyy). Why is it so? How and where to correct it to ensure the new data format is recognised as dd/mm/yyyy. thks

Re: timestamp format of the input files

strive — Fri, 01 Aug 2014 07:44:31 GMT

Can you post your props.conf settings

Re: timestamp format of the input files

keerthana_k — Fri, 01 Aug 2014 09:09:57 GMT

You can do this my mentioning your time format in props.conf file:

Under your configuration stanza, you can add

TIME_FORMAT=%d/%m/%Y

This will ensure that the timestamp for all the events of that type are considered in dd/mm/yyyy format.

Re: timestamp format of the input files

newbiesplunk — Tue, 05 Aug 2014 08:00:45 GMT

it works only the first event after restarted the splunk and the subsequent events were returned back to mm/dd/yyyy. ANy thing else need to do? thks

Re: timestamp format of the input files

newbiesplunk — Tue, 05 Aug 2014 08:36:32 GMT

how come from the same forwarder, the date format is different for different input files? So strange.

Re: timestamp format of the input files

keerthana_k — Tue, 05 Aug 2014 08:52:59 GMT

Can you paste your props.conf setting?

Re: timestamp format of the input files

somesoni2 — Tue, 05 Aug 2014 13:21:27 GMT

You might have to configure other attributes for your sourcetype for timestamp recognition and event-breaking. Please provide some sample logs and current sourcetype definition from props.conf (if any, from indexer).