how do i get splunk to read the date as dd/mm/yyyy, it is currently reading mm/dd/yyyy
you need to set the timestamp format in your props.conf:
[<spec>]
TIME_FORMAT = <strptime-style format>
In this syntax, spec
can be:
<sourcetype>, the source type of an event.
host::<host>, where <host> is the host value for an event.
source::<source>, where <source> is the source value for an event.
In your example it should be:
[<spec>]
TIME_FORMAT = %d/%m/%Y
And this is an index time parameter thus requires splunk restart and will only apply to new data.
i'm using version 6.1.2
when i go into props.config, i did a search for time_format, next i change ALL "time_format = %m/ %d/ %y" to "time_format = %d/ %m/ %y"
where do i input the "time_format = "
Please advise
can you post your props.conf that we can check the syntax?
As well if you re-add the same data splunk will not re-index it then you need to do (BEWARE THIS WILL PERMANENTLY DELETE THE DATA) splunk clean eventdata -index my_index
i am going to install splunk a new workstation and redo the whole process
is there an email address for me to contact you? i can send you my props.conf
well. i cant seem to get the props.conf command to work. i'm not a programmer and have very very limited coding knowledge.
as some other splunk users might run in similar issue it is better to continue here for this thread to be profitable to them
i just notice that if i upload an index with the date 13/08/2014, it will be able to read in dd/mm/yyyy.
which means if it is not 1 to 12, splunk will read it in dd/mm/yyyy.
and if it is 1/09/2014, it will read it as mm/dd/yyyy (9 jan 2014)
i am unable to copy the props.conf, too many characters. which part do i need to copy over?
i think i manage to solve the problem. apparently, there is this datetime.xml file in splunk\etc
by default there was alot of definition is "month, day, year". so i change all of it to "day, month, year" and VIOLA!! it work. thanks for MarioM help too.
This is not a good solution, as you are changing the way splunk guesses timestamps for your entire install.
In addition TIME_FORMAT will produce better performance and more stable results.
If you wish to create a custom datetime.xml, you should reference it within your sourcetype in props.conf.
Guess you are not putting them in lowercase as you mentioned here...
Make everything in Caps , as per the documentations provided.
If you ever have any doubt always append all the configurations in etc\system\local\props.conf
yes i remove the old directories and data, re added it.
i tried this from what i found on other threads but its not working. i search for all time_format and change all to %d/%m/%y, restart but still no different
Have you added new data, as Mario stated, IT ONLY APPLIES TO NEW DATA
can you paste your props.conf configuration? an which splunk version do you have?