Re: timestamp format of the input files

newbiesplunk · ‎08-01-2014

Hi,
when i forward my input files (c:\data) from server A to Splunk Head at ServerB, the date format was correct for all input files as of yesterday. But today, when the date is 1/8/2014 (dd/mm/yyyy), some files from the server A is recognised as 8/1/2014 (dd/mm/yyyy) and some recognised as 1/8/2014 (dd/mm/yyyy). Why is it so? How and where to correct it to ensure the new data format is recognised as dd/mm/yyyy. thks

keerthana_k · ‎08-01-2014

You can do this my mentioning your time format in props.conf file:

Under your configuration stanza, you can add

TIME_FORMAT=%d/%m/%Y

This will ensure that the timestamp for all the events of that type are considered in dd/mm/yyyy format.

somesoni2 · ‎08-05-2014

You might have to configure other attributes for your sourcetype for timestamp recognition and event-breaking. Please provide some sample logs and current sourcetype definition from props.conf (if any, from indexer).

keerthana_k · ‎08-05-2014

Can you paste your props.conf setting?

newbiesplunk · ‎08-05-2014

how come from the same forwarder, the date format is different for different input files? So strange.

newbiesplunk · ‎08-05-2014

it works only the first event after restarted the splunk and the subsequent events were returned back to mm/dd/yyyy. ANy thing else need to do? thks

strive · ‎08-01-2014

Can you post your props.conf settings

timestamp format of the input files

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!