For some reason, Splunk has started to swap the da...

numbpulse · ‎11-09-2017

For some reason, Splunk has started to swap the date format for these servers
The data is being imported, but it is going into splunk as the 11th September, rather than the 9th October.

This in turn is not giving me results of specific host set-up , rest from all hosts splunk is giving data.

richgalloway · ‎11-10-2017

It sounds like you are using the default TIME_FORMAT setting, which is the US format of mm/dd/yyyy. If you add TIME_FORMAT attributes for each sourcetype in your props.conf files on your indexers and heavy forwarders, Splunk should read dates correctly. The TIME_FORMAT values should match the way timestamps appear in your data. That's probably something like %d/%m/%Y %H:%M:%S. You will need to start Splunk after editing the props.conf files. Note that the change will only affect new data; data that is already indexed will not change (you may need to re-index it).

---
If this reply helps you, Karma would be appreciated.

For some reason, Splunk has started to swap the date format for these servers The data is being imported, but it is going into splunk as the 11th September, rather than the 9th October.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...