how to format date without year in the time stamp

Kozanic · ‎09-29-2014

I have a file that I'm trying to get the date right on - but am not having much success, and haven't been able to find a solution as yet.

Time stamp format is as below:
09/23 16:30:01.55

This is at the start of the event line with other information following.

I have tried using: TIME_FORMAT=%d/%m %H:%M:%S.%2N

however, this gives me: 9/20/01 6:24:41.550 AM

2 things I would like to try and achieve are:

markthompson · ‎09-30-2014

You could try using the convert command.

convert timeformat=%d/%m ctime(Time)

This should work I think, I've used it in a graph to change the time stamp, but not the date, I think it should still apply.

Kozanic · ‎09-30-2014

Thanks Mark,

Am I able to use convert at index time?

I have tried your suggestion, but does seem to make any different to the Timestamp being generated.

markthompson · ‎10-01-2014

Hi Kozanic,
Do you mean at the time that it indexes the file? If so, I don't think you can, but it can be used in search queries,
Otherwise I think you could use this solution; http://answers.splunk.com/answers/525/how-can-i-change-the-time-format-in-splunk-web.html

Hope this helps 🙂

Kozanic · ‎09-29-2014

Thanks sk314, I hadn't, but I have tried and it doesn't seem to be working for me - not sure if I'm doing it wrong somehow.

Will continue to play and see what I can work out.

sk314 · ‎09-29-2014

Kozanic · ‎09-29-2014

Minor edit:
TIME_FORMAT=%m/%d %H:%M:%S.%3N