Getting Data In

Change Date from 12 to 24 hour to logs being sent to 3rd party

Communicator

Hi Guys

So I'm sending out logs to a 3rd party regarding one of our servers, the logs when they are received look like below -

<13> **************** 03/08/2013 02:52:04 PM

LogName=System

SourceName=Microsoft-Windows-Service Control Manager

EventCode=7036

EventType=4

Type=Information

ComputerName=***************

TaskCategory=The operation completed successfully.

OpCode=The operation completed successfully.

RecordNumber=11711

Keywords=Classic

Message=The Software Protection service entered the stopped state.

The data in the props file look like this at the moment -

[host::***********]

TRANSFORMS-tran8 = sendtosyslog

my question is, is there a way to alter the above date / time stamp in the props.conf so that the date in the top log is shown as 24 hours not 12 ?

0 Karma

SplunkTrust
SplunkTrust

You could write sed expressions, along these lines:

s/11(:\d\d:\d\d) AM/11\1/
s/12(:\d\d:\d\d) PM/12\1/
s/01(:\d\d:\d\d) PM/13\1/
...

You need to make sure only the right parts of your events match of course.

0 Karma