Getting Data In

How can I configure splunk to read dates in dd/mm/yyyy format?

jonzhong
New Member

how do i get splunk to read the date as dd/mm/yyyy, it is currently reading mm/dd/yyyy

Tags (1)
0 Karma

MarioM
Motivator

you need to set the timestamp format in your props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition#Edit_timestamp_...

[<spec>]
TIME_FORMAT = <strptime-style format>

In this syntax, spec can be:

<sourcetype>, the source type of an event.
host::<host>, where <host> is the host value for an event.
source::<source>, where <source> is the source value for an event. 

In your example it should be:

[<spec>]
TIME_FORMAT = %d/%m/%Y

And this is an index time parameter thus requires splunk restart and will only apply to new data.

jonzhong
New Member

i'm using version 6.1.2

when i go into props.config, i did a search for time_format, next i change ALL "time_format = %m/ %d/ %y" to "time_format = %d/ %m/ %y"

where do i input the "time_format = "

Please advise

0 Karma

MarioM
Motivator

can you post your props.conf that we can check the syntax?
As well if you re-add the same data splunk will not re-index it then you need to do (BEWARE THIS WILL PERMANENTLY DELETE THE DATA) splunk clean eventdata -index my_index

0 Karma

jonzhong
New Member

i am going to install splunk a new workstation and redo the whole process
is there an email address for me to contact you? i can send you my props.conf

0 Karma

jonzhong
New Member

well. i cant seem to get the props.conf command to work. i'm not a programmer and have very very limited coding knowledge.

0 Karma

MarioM
Motivator

as some other splunk users might run in similar issue it is better to continue here for this thread to be profitable to them

0 Karma

jonzhong
New Member

i just notice that if i upload an index with the date 13/08/2014, it will be able to read in dd/mm/yyyy.
which means if it is not 1 to 12, splunk will read it in dd/mm/yyyy.

and if it is 1/09/2014, it will read it as mm/dd/yyyy (9 jan 2014)

i am unable to copy the props.conf, too many characters. which part do i need to copy over?

0 Karma

jonzhong
New Member

i think i manage to solve the problem. apparently, there is this datetime.xml file in splunk\etc
by default there was alot of definition is "month, day, year". so i change all of it to "day, month, year" and VIOLA!! it work. thanks for MarioM help too.

0 Karma

jrodman
Splunk Employee
Splunk Employee

This is not a good solution, as you are changing the way splunk guesses timestamps for your entire install.
In addition TIME_FORMAT will produce better performance and more stable results.

If you wish to create a custom datetime.xml, you should reference it within your sourcetype in props.conf.

0 Karma

linu1988
Champion

Guess you are not putting them in lowercase as you mentioned here...

Make everything in Caps , as per the documentations provided.

If you ever have any doubt always append all the configurations in etc\system\local\props.conf

jonzhong
New Member

yes i remove the old directories and data, re added it.

0 Karma

jonzhong
New Member

i tried this from what i found on other threads but its not working. i search for all time_format and change all to %d/%m/%y, restart but still no different

0 Karma

markthompson
Builder

Have you added new data, as Mario stated, IT ONLY APPLIES TO NEW DATA

0 Karma

MarioM
Motivator

can you paste your props.conf configuration? an which splunk version do you have?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...