Getting Data In

To change the date format for events, do we modify datetime.xml on the Indexer or forwarder?

echalex
Builder

Hi,

Fairly simple question, but I can't find the answer. Since we never use the illogical date format month-day-year, that Splunk seems to prefer over any sane format, we need to modify datetime.xml accordingly. However, it is not clear to me whether this is a setting that we need to set on the indexer or the forwarder. Any pointers to this would be appreciated.

0 Karma
1 Solution

woodcock
Esteemed Legend

Why do you think you need to go so deep as to use datetime.xml (that is for very unusual/difficult cases, like pulling the timestamp from the filename)? You should be using the "normal" settings in props.conf and DEFINITELY DO NOT rely on automatic timestamping. Read these:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/6.3.0/Admin/propsconf

Then push these out to your Indexers (or Heavy Forwarders if you are using HF) an restart all Splunk instances there.

View solution in original post

woodcock
Esteemed Legend

Why do you think you need to go so deep as to use datetime.xml (that is for very unusual/difficult cases, like pulling the timestamp from the filename)? You should be using the "normal" settings in props.conf and DEFINITELY DO NOT rely on automatic timestamping. Read these:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/6.3.0/Admin/propsconf

Then push these out to your Indexers (or Heavy Forwarders if you are using HF) an restart all Splunk instances there.

echalex
Builder

Hi and thanks for the reply!

The reason why I'm looking into using datetime.xml is that Splunk uses an incorrect format by default. Therefore, I want to change the order in which Splunk makes its educated guess. So the edit is really minor.

We never use the format month-day-year and for us it's an illogical order, since it breaks the order of magnitude. It's either year-month-day, day-month-year or day-month (- signifying any separator). We run a plethora of custom applications and we try to enforce the year-month-day standard. Unfortunately, new installations do not always adhere and in some cases, the format has (alas) been hard-coded. Therefore, we unfortunately have sourcetypes with mixed date formats.

We have currently 118 sourcetypes, from several projects, products, owners and admins. Setting the timestamp recognition for each and every one is simply too overwhelming a task. So, the only reliable solution is to instruct Splunk not to make the illogical choice as a first guess.

I also want to point out that some admins have been surprised at the behaviour, when they previously have seen date like 20-30 September correctly identified for a sourcetype, but suddenly 1 October becomes 10 January.

Thanks for the reply, though! You answered my question and this isn't quite clear in the documentation.

Disclaimer: Yes, I know month-day-year is the preferred choice and makes sense for US citizens, but for us it's as confusing as Fahrenheit.

0 Karma

woodcock
Esteemed Legend

Be sure that you DO NOT edit the datetime.xml in the default directory; copy it to local and edit it there. Also be aware that one of the "quickest wins" you can get to speed up your indexing (shorten event latency) and save considerable CPU is to configure timestamping. You will see a MAJOR improvement if you do so.

0 Karma

echalex
Builder

Hi. Duly noted. Thanks!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...