All Apps and Add-ons

Date Formatting

Path Finder

I have an event which has date in log as - 11-Mar-14
System is reading it as 3/14/11

Because of which system is saying that event is logged in 2011, how can i correct it?

0 Karma

Splunk Employee
Splunk Employee

This has to be fixed at index time. by defining a sourcetype with a timeformat extraction in props.conf on all your indexers (and heavy forwarders)

you probably need something starting with the date format in the correct order

TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits : 21 Feb 15 6:02:05.000 PM

of course you also need to add the time format, not just the date.

0 Karma

Path Finder

ok i tried (no luck) - i created a new sourcetype - Trend

At Universal Forwarder:

My source csv file has events in format:
"10-Mar-14 7:18:54 PM"

My input.conf
sourcetype = Trend

I edited learned props.conf (since not sure where to create new props.conf - C:\Program Files\SplunkForwarder\etc\apps\learned\local)

KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
pulldown_type = true
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z

At indexer - created new props.conf in D:\Splunk\etc\apps\Dash\local. What am i missing?

0 Karma

Path Finder

Actually when i this first started with this soutrce type i was not able to get data in indexer and i need to import a copy to indexer and build a learned file and then copy the learned behaviour to Universal Forwarder.

Now i leanred CSV-2 by doing this....but that is used by another file which is almost same as this input other than it does not have Date stamp in it.

Hence i thought to build CSV-3 which will be different from CSV-2 in leanred dir and add the Forced timestamp - if this is not right way then i would like to know where to build CSV-3 on forwarder and indexer

0 Karma

Splunk Employee
Splunk Employee

if you enforce the TIME_FORMAT, you need to add the hour time format too.

TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits 21 Feb 15 6:02:05.000 PM

- enforce a sourcetype for your inputs, csv-3 looks like an automatic sourcetype that will increment every time something changes.
- create your own version of the sourcetype to another app (the learn app is automatic), this will be easier to maintain and deploy.

0 Karma

Path Finder

Time seems to be coming in right format :
6:02:05.000 PM (which seems to be CT time right now) - i am ok with this. Since csv-3 is only used by this specific data source, i have to add this to Universal forwarder in learned\local\props.conf - do you think i need to adjust this in Universal Forwarder too..?

0 Karma

Path Finder

SO my current Source Type at D:\Splunk\etc\apps\learned\local\props.conf is:

KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
pulldown_type = true

are you suggesting:
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
pulldown_type = true
TIME_FORMAT=%d %b %y

0 Karma
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...