Solved: Why doesn't the time format match my log?

kannu · ‎06-01-2018

Hi splunkers

I have following log entry in file getting indexed on sourcetype name "ncm"

"01/06/2018 12:00:47 : Started LoadBalancer"

This is of 1st june 2018 but in splunk this entry has been taken as 6 january 2018 . Before this entry comes in the log two days ago i have already changed the time format in props.conf

[ncm]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

So in that two days data arrived as per my time format but today 1st june data went to 6th january .

Please help.

FrankVl · ‎06-01-2018

That TIME_FORMAT does not match your log. Your log has / as separator, while your TIME_FORMAT uses -. Which will cause Splunk to revert to auto detection, which indeed can fail on ambiguous dates likes 01/06/2018.

View solution in original post

FrankVl · ‎06-01-2018

That TIME_FORMAT does not match your log. Your log has / as separator, while your TIME_FORMAT uses -. Which will cause Splunk to revert to auto detection, which indeed can fail on ambiguous dates likes 01/06/2018.

kannu · ‎06-01-2018

@FrankVl

So below will work ?

[ncm]
TIME_FORMAT = %d/%m/%Y %H:%M:%S

FrankVl · ‎06-01-2018

Yes, I would expect it would 🙂

Why doesn't the time format match my log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation