hi all.
I have searched splunk answers and seen various people commenting on timestamp formats, but I can't find exactly what I'm seeing, so I thought I'd ask the question.
I am trying to create a new file input based on a txt file that gets updated with a timestamped event.
When I preview the file, it highlights the timestamp in my data with a green highlight, which I presume shows me that it has identified the time/date.
I'm in the UK so my data is DD/MM: 01/06/2015 13:58:47
However, on the right hand side of the preview screen where it shows the "event time distribution" as a small graph, the format is MM/DD.
Why is it changing this?
What is more bizarre is that I set up these file inputs last month and they were working fine. Date format was dd/mm etc and I had no problems. But when we ticked over to the 1st of June, literally at midnight. The inputs stopped working.
I don't know of any change to our environment that would cause this. We haven't updated splunk in any way recently. The files are being updated in the same way every 5 minutes, and the raw data in the files is still correct and hasn't changed.
Also, it isn't browser locale related. I am using the same url I always use. I can use it with or without en-gb in the url, and the same happens with these file inputs.
I know this is going to be very hard to provide a solution, but I've checked everything I can think of so I'm just looking for any ideas that I have possibly overlooked.
We are using splunk 6.0.2 Splunk Build196940
thanks guys!
Dave
Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S
in the relevant stanza of your props.conf file.
This has been discussed ad-nauseam in this other question (including the answer and many layers of debug):
Splunk defaults to MM/DD format, but is smart enough to know there is no thirteenth month so "13/05" must be 13 May. Now that day numbers are back in the 1-12 range Splunk again thinks the first number is a month. You can resolve this by putting TIME_FORMAT = %d/%m/%Y %H:%M:%S
in the relevant stanza of your props.conf file.