topic Timestamp recognition props.conf (event time using MM/DD/YYYY instead of DD/MM/YYYY in Getting Data In

Timestamp recognition props.conf (event time using MM/DD/YYYY instead of DD/MM/YYYY

marellasunil — Fri, 01 May 2015 13:26:59 GMT

Hi,
Every month 1st, I am facing the below issue.
Splunk stopped indexing on 1st of every month
For ex : Feb 1st it stopped indexing & it retrieved on 2nd, and on March 1st stopped and indexing again on 3rd march.
Look like splunk recognizing logs as MM/DD though DD/MM in the log

I tried to add "%d/%m/%Y %H:%M:%S" in props.conf but still no luck

timestamp="09/04/2015 10:06:30", XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, transactionstart="09/04/2015 10:06:30", transactionend="09/04/2015 10:06:30",

Can some one suggest me what should I do?

Re: Timestamp recognition props.conf (event time using MM/DD/YYYY instead of DD/MM/YYYY

stephane_cyrill — Fri, 01 May 2015 14:23:56 GMT

What is the source of your data? is it from a forwarder? if yes, it may be a game of time zones.

see

docs.splunk.com/Documentation/Splunk/6.2.2/data/Applytimezoneoffsetstotimestamps

Re: Timestamp recognition props.conf (event time using MM/DD/YYYY instead of DD/MM/YYYY

marellasunil — Mon, 28 Sep 2020 19:48:42 GMT

Hi Stephane,
Thanks for the reply.
Yes it is forwarder, even I have add the below stanza to props.conf file (In deployment server) which did not work, even changed in all indexers $SPLUNK_HOME$/system/local/props.conf as well

[sourcetype_proj]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %d/%m/%Y %H:%M:%S
TIME_PREFIX = timestamp="
TZ = Europe/London
category = Custom
pulldown_type = true