Getting Data In

How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong
New Member

how do i get splunk to read the date as dd/mm/yyyy, it is currently reading mm/dd/yyyy

Tags (1)
0 Karma

MarioM
Motivator

you need to set the timestamp format in your props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition#Edit_timestamp_...

[<spec>]
TIME_FORMAT = <strptime-style format>

In this syntax, spec can be:

<sourcetype>, the source type of an event.
host::<host>, where <host> is the host value for an event.
source::<source>, where <source> is the source value for an event. 

In your example it should be:

[<spec>]
TIME_FORMAT = %d/%m/%Y

And this is an index time parameter thus requires splunk restart and will only apply to new data.

jonzhong
New Member

i'm using version 6.1.2

when i go into props.config, i did a search for time_format, next i change ALL "time_format = %m/ %d/ %y" to "time_format = %d/ %m/ %y"

where do i input the "time_format = "

Please advise

0 Karma

MarioM
Motivator

can you post your props.conf that we can check the syntax?
As well if you re-add the same data splunk will not re-index it then you need to do (BEWARE THIS WILL PERMANENTLY DELETE THE DATA) splunk clean eventdata -index my_index

0 Karma

jonzhong
New Member

i am going to install splunk a new workstation and redo the whole process
is there an email address for me to contact you? i can send you my props.conf

0 Karma

jonzhong
New Member

well. i cant seem to get the props.conf command to work. i'm not a programmer and have very very limited coding knowledge.

0 Karma

MarioM
Motivator

as some other splunk users might run in similar issue it is better to continue here for this thread to be profitable to them

0 Karma

jonzhong
New Member

i just notice that if i upload an index with the date 13/08/2014, it will be able to read in dd/mm/yyyy.
which means if it is not 1 to 12, splunk will read it in dd/mm/yyyy.

and if it is 1/09/2014, it will read it as mm/dd/yyyy (9 jan 2014)

i am unable to copy the props.conf, too many characters. which part do i need to copy over?

0 Karma

jonzhong
New Member

i think i manage to solve the problem. apparently, there is this datetime.xml file in splunk\etc
by default there was alot of definition is "month, day, year". so i change all of it to "day, month, year" and VIOLA!! it work. thanks for MarioM help too.

0 Karma

jrodman
Splunk Employee
Splunk Employee

This is not a good solution, as you are changing the way splunk guesses timestamps for your entire install.
In addition TIME_FORMAT will produce better performance and more stable results.

If you wish to create a custom datetime.xml, you should reference it within your sourcetype in props.conf.

0 Karma

linu1988
Champion

Guess you are not putting them in lowercase as you mentioned here...

Make everything in Caps , as per the documentations provided.

If you ever have any doubt always append all the configurations in etc\system\local\props.conf

jonzhong
New Member

yes i remove the old directories and data, re added it.

0 Karma

jonzhong
New Member

i tried this from what i found on other threads but its not working. i search for all time_format and change all to %d/%m/%y, restart but still no different

0 Karma

markthompson
Builder

Have you added new data, as Mario stated, IT ONLY APPLIES TO NEW DATA

0 Karma

MarioM
Motivator

can you paste your props.conf configuration? an which splunk version do you have?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...