https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375860#M169593 <P>Edit: Please ignore, that won't work.</P> <P>I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).</P> <P>You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...</P> Mon, 07 May 2018 13:07:58 GMT xpac 2018-05-07T13:07:58Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375856#M169589 <P>Hi Community!</P> <P>I have a problem with a German Timestamp Field!<BR /> I would like to extract the correct Timestamp from this field and replace it as the eventtime.<BR /> Unfortunatly monthnames are displayed at german language.</P> <P>What is the best way to do that</P> <P>This is my field with the timestamp </P> <BLOCKQUOTE> <P>Mo Mai 07 2018 11:15:46.5650</P> </BLOCKQUOTE> <P>and I would like to replace the eventtime with that timestamp</P> <P>Thanks<BR /> Rob</P> Mon, 07 May 2018 09:30:10 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375856#M169589 RobertRi 2018-05-07T09:30:10Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375857#M169590 <P>Ha, Mai is actually the worst example <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> Just wondering - is the timestamp only showing the first three letters of each month, or is it showing the full month name?</P> Mon, 07 May 2018 10:09:40 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375857#M169590 xpac 2018-05-07T10:09:40Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375858#M169591 <P>Only the first three letters.</P> <P>Regards<BR /> Rob</P> Mon, 07 May 2018 10:49:47 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375858#M169591 RobertRi 2018-05-07T10:49:47Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375859#M169592 <P>Looks like you're not the only one who ran into this (no solution unfortunately):<BR /> <A href="https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html">https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html</A></P> <P>Not directly related to index time processing of timestamps, but the search time documentation mentions that it follows the server's OS's locale setting:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables</A></P> <P>So you might want to try sending this data through a HF that is running on an OS set to German locale.</P> <P>Alternatively, you could look at defining your own <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Configuretimestamprecognition#The_timestamp_processor">timestamp processor</A> (creating an alternative datetime.xml).</P> <P>I'd probably aim at fixing this from the data source side, rather than Splunk side...</P> Mon, 07 May 2018 11:32:54 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375859#M169592 FrankVl 2018-05-07T11:32:54Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375860#M169593 <P>Edit: Please ignore, that won't work.</P> <P>I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).</P> <P>You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...</P> Mon, 07 May 2018 13:07:58 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375860#M169593 xpac 2018-05-07T13:07:58Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375861#M169594 <P>But would that SEDCMD be performed before Splunk does the timestamp extraction? Otherwise it is rather pointless, right?</P> Mon, 07 May 2018 13:15:37 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375861#M169594 FrankVl 2018-05-07T13:15:37Z https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375862#M169595 <P>You're right, my mistake, that wouldn't work...</P> Mon, 07 May 2018 13:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Use-Field-with-Timestamp-as-Eventtime/m-p/375862#M169595 xpac 2018-05-07T13:29:48Z