you need to set the timestamp format in your props.conf:
[<spec>] TIME_FORMAT = <strptime-style format>
In this syntax,
spec can be:
<sourcetype>, the source type of an event. host::<host>, where <host> is the host value for an event. source::<source>, where <source> is the source value for an event.
In your example it should be:
[<spec>] TIME_FORMAT = %d/%m/%Y
And this is an index time parameter thus requires splunk restart and will only apply to new data.
i'm using version 6.1.2
when i go into props.config, i did a search for time_format, next i change ALL "time_format = %m/ %d/ %y" to "time_format = %d/ %m/ %y"
where do i input the "time_format = "
can you post your props.conf that we can check the syntax?
As well if you re-add the same data splunk will not re-index it then you need to do (BEWARE THIS WILL PERMANENTLY DELETE THE DATA)
splunk clean eventdata -index my_index
i just notice that if i upload an index with the date 13/08/2014, it will be able to read in dd/mm/yyyy.
which means if it is not 1 to 12, splunk will read it in dd/mm/yyyy.
and if it is 1/09/2014, it will read it as mm/dd/yyyy (9 jan 2014)
i am unable to copy the props.conf, too many characters. which part do i need to copy over?
i think i manage to solve the problem. apparently, there is this datetime.xml file in splunk\etc
by default there was alot of definition is "month, day, year". so i change all of it to "day, month, year" and VIOLA!! it work. thanks for MarioM help too.
This is not a good solution, as you are changing the way splunk guesses timestamps for your entire install.
In addition TIME_FORMAT will produce better performance and more stable results.
If you wish to create a custom datetime.xml, you should reference it within your sourcetype in props.conf.
Guess you are not putting them in lowercase as you mentioned here...
Make everything in Caps , as per the documentations provided.
If you ever have any doubt always append all the configurations in