Solved: Re: setting the default date format for events

las · ‎11-08-2012

I have a date in my input files 08-11-12, This date could be August 11. 2012, or (as is the case) November 8. 2012, as I use European date-format.

It looks like Splunk likes to use the American date-format before using the European, so it thinks the event was written in august.

How do I change the default behavior, so that it first uses European format, and then American?

Kind regards

las · ‎11-09-2012

I used the comment from dart.
A little more work, but it works.

View solution in original post

las · ‎11-09-2012

I used the comment from dart.
A little more work, but it works.

las · ‎11-09-2012

Thanks - as usual very helpful info.

dart · ‎11-08-2012

It's better to do this with a TIME_FORMAT for each sourcetype, but otherwise you could create your own datetime.xml and then use the default stanza to specify using your copy of datetime.xml.

Ayn · ‎11-08-2012

These issues are typically found on a per-sourcetype basis, so setting a global default is kind of dangerous. But, if you really know what you are doing you could set a global setting using the [default] stanza in props.conf.

las · ‎11-08-2012

Yes, but isn't that on a sourcetype basis. I want to default use the European formats before the American.

kristian_kolb · ‎11-08-2012

Check out the TIME_FORMAT parameter for props.conf. With that you specify how the incoming timestamps should be parsed.

setting the default date format for events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation