I have a file that I'm trying to get the date right on - but am not having much success, and haven't been able to find a solution as yet.
Time stamp format is as below:
This is at the start of the event line with other information following.
I have tried using: TIME_FORMAT=%d/%m %H:%M:%S.%2N
however, this gives me: 9/20/01 6:24:41.550 AM
2 things I would like to try and achieve are:
You could try using the convert command.
convert timeformat=%d/%m ctime(Time)
This should work I think, I've used it in a graph to change the time stamp, but not the date, I think it should still apply.
Do you mean at the time that it indexes the file? If so, I don't think you can, but it can be used in search queries,
Otherwise I think you could use this solution; http://answers.splunk.com/answers/525/how-can-i-change-the-time-format-in-splunk-web.html
Hope this helps 🙂