topic Re: setting the default date format for events in Getting Data In

setting the default date format for events

las — Thu, 08 Nov 2012 11:29:35 GMT

I have a date in my input files 08-11-12, This date could be August 11. 2012, or (as is the case) November 8. 2012, as I use European date-format.

It looks like Splunk likes to use the American date-format before using the European, so it thinks the event was written in august.

How do I change the default behavior, so that it first uses European format, and then American?

Kind regards

Re: setting the default date format for events

kristian_kolb — Thu, 08 Nov 2012 12:15:34 GMT

Check out the TIME_FORMAT parameter for props.conf. With that you specify how the incoming timestamps should be parsed.

Re: setting the default date format for events

las — Thu, 08 Nov 2012 12:53:32 GMT

Yes, but isn't that on a sourcetype basis. I want to default use the European formats before the American.

Re: setting the default date format for events

Ayn — Thu, 08 Nov 2012 13:57:07 GMT

These issues are typically found on a per-sourcetype basis, so setting a global default is kind of dangerous. But, if you really know what you are doing you could set a global setting using the [default] stanza in props.conf.

Re: setting the default date format for events

dart — Thu, 08 Nov 2012 16:21:42 GMT

It's better to do this with a TIME_FORMAT for each sourcetype, but otherwise you could create your own datetime.xml and then use the default stanza to specify using your copy of datetime.xml.

Re: setting the default date format for events

las — Fri, 09 Nov 2012 11:38:26 GMT

Thanks - as usual very helpful info.

Re: setting the default date format for events

las — Fri, 09 Nov 2012 11:39:44 GMT

I used the comment from dart.
A little more work, but it works.