Solved: setting the default date format for events

las · ‎11-08-2012

I have a date in my input files 08-11-12, This date could be August 11. 2012, or (as is the case) November 8. 2012, as I use European date-format.

It looks like Splunk likes to use the American date-format before using the European, so it thinks the event was written in august.

How do I change the default behavior, so that it first uses European format, and then American?

Kind regards

las · ‎11-09-2012

I used the comment from dart.
A little more work, but it works.

View solution in original post

las · ‎11-09-2012

I used the comment from dart.
A little more work, but it works.

las · ‎11-09-2012

Thanks - as usual very helpful info.

dart · ‎11-08-2012

It's better to do this with a TIME_FORMAT for each sourcetype, but otherwise you could create your own datetime.xml and then use the default stanza to specify using your copy of datetime.xml.

Ayn · ‎11-08-2012

These issues are typically found on a per-sourcetype basis, so setting a global default is kind of dangerous. But, if you really know what you are doing you could set a global setting using the [default] stanza in props.conf.

las · ‎11-08-2012

Yes, but isn't that on a sourcetype basis. I want to default use the European formats before the American.

kristian_kolb · ‎11-08-2012

Check out the TIME_FORMAT parameter for props.conf. With that you specify how the incoming timestamps should be parsed.

setting the default date format for events

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Changes to Splunk Instructor-Led Training Completion Criteria