topic Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY? in Getting Data In

Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

jmajumdar — Wed, 07 Dec 2016 22:28:19 GMT

Hi All

I have this problem in Splunk :

in my log i have time setup as : 12.07.2016 17:20:30,474 but Splunk is converting it to 07/12/16, when it should be 12/07/16. What can I do to correct it? Logs are in these files are in xml format .

This is how it is looking in Splunk:

7/12/16
5:20:30.474 PM  
<unspecified>10.0.6.32<unspecified>10.0.6.32

Re: Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

dbcase — Wed, 07 Dec 2016 23:15:41 GMT

Try something like this (you will need to substitue the right time format variables for your needs)

eval epochtime=strptime(eventTimeStamp, "%H:%M:%S.%3Q %z %Y-%m-%d")|eval desired_time=strftime(epochtime, "%I:%M:%S.%3Q %p %m/%d/%Y")

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Commontimeformatvariables

Re: Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

esix_splunk — Wed, 07 Dec 2016 23:42:34 GMT

Do you mean the displayed time in the GUI? As Splunk wont rewrite your timestamp. If you mean the way it is displayed in the GUI, this is likely due to the region settings for your language.

Otherwise, it could be that your time stamp is being read incorrectly and you need to specify the strptime format as noted by DBcase, or in props.conf where you ingest the file.

Re: Why is Splunk converting my timestamp to DD/MM/YY instead of MM/DD/YY?

jmajumdar — Thu, 08 Dec 2016 17:37:32 GMT

Added this to props.conf seem to resolve my issue : DATETIME_CONFIG=CURRENT