I have an event which has date in log as - 11-Mar-14
System is reading it as 3/14/11
Because of which system is saying that event is logged in 2011, how can i correct it?
This has to be fixed at index time. by defining a sourcetype with a timeformat extraction in props.conf on all your indexers (and heavy forwarders)
see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition,
you probably need something starting with the date format in the correct order
`[mysourcetype]
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits : 21 Feb 15 6:02:05.000 PM
`
of course you also need to add the time format, not just the date.
ok i tried (no luck) - i created a new sourcetype - Trend
My source csv file has events in format:
"10-Mar-14 7:18:54 PM"
My input.conf
[monitor://D:\Latency.csv]
sourcetype = Trend
I edited learned props.conf (since not sure where to create new props.conf - C:\Program Files\SplunkForwarder\etc\apps\learned\local)
[Trend]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
At indexer - created new props.conf in D:\Splunk\etc\apps\Dash\local. What am i missing?
Actually when i this first started with this soutrce type i was not able to get data in indexer and i need to import a copy to indexer and build a learned file and then copy the learned behaviour to Universal Forwarder.
Now i leanred CSV-2 by doing this....but that is used by another file which is almost same as this input other than it does not have Date stamp in it.
Hence i thought to build CSV-3 which will be different from CSV-2 in leanred dir and add the Forced timestamp - if this is not right way then i would like to know where to build CSV-3 on forwarder and indexer
if you enforce the TIME_FORMAT, you need to add the hour time format too.
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits 21 Feb 15 6:02:05.000 PM
Please
- enforce a sourcetype for your inputs, csv-3 looks like an automatic sourcetype that will increment every time something changes.
- create your own version of the sourcetype to another app (the learn app is automatic), this will be easier to maintain and deploy.
Time seems to be coming in right format :
6:02:05.000 PM (which seems to be CT time right now) - i am ok with this. Since csv-3 is only used by this specific data source, i have to add this to Universal forwarder in learned\local\props.conf - do you think i need to adjust this in Universal Forwarder too..?
SO my current Source Type at D:\Splunk\etc\apps\learned\local\props.conf is:
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
are you suggesting:
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y