Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timestamp in file inputs is the wrong format

daverodgers
Explorer
‎06-04-2015 08:11 AM

hi all.

I have searched splunk answers and seen various people commenting on timestamp formats, but I can't find exactly what I'm seeing, so I thought I'd ask the question.

I am trying to create a new file input based on a txt file that gets updated with a timestamped event.

When I preview the file, it highlights the timestamp in my data with a green highlight, which I presume shows me that it has identified the time/date.

I'm in the UK so my data is DD/MM: 01/06/2015 13:58:47

However, on the right hand side of the preview screen where it shows the "event time distribution" as a small graph, the format is MM/DD.

Why is it changing this?

What is more bizarre is that I set up these file inputs last month and they were working fine. Date format was dd/mm etc and I had no problems. But when we ticked over to the 1st of June, literally at midnight. The inputs stopped working.

I don't know of any change to our environment that would cause this. We haven't updated splunk in any way recently. The files are being updated in the same way every 5 minutes, and the raw data in the files is still correct and hasn't changed.

Also, it isn't browser locale related. I am using the same url I always use. I can use it with or without en-gb in the url, and the same happens with these file inputs.

I know this is going to be very hard to provide a solution, but I've checked everything I can think of so I'm just looking for any ideas that I have possibly overlooked.

We are using splunk 6.0.2 Splunk Build196940

thanks guys!

Dave

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2015 08:37 AM

Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S in the relevant stanza of your props.conf file.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-05-2015 11:07 PM

This has been discussed ad-nauseam in this other question (including the answer and many layers of debug):

http://answers.splunk.com/answers/241800/why-am-i-unable-to-search-previously-indexed-data.html#comm...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2015 08:37 AM

Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S in the relevant stanza of your props.conf file.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...