Solved: Why is Splunk is changing day for month?

ptlemos · ‎12-13-2022

Hi,

i have an edge server with splunk forward to ship log file to indexer.

The log is being indexed but splunk is changing days for months.

The events start with the example

17:00:16,965;06-12-2022 17:00:16.740;10.129.150.83;

This event is from 6 of december but is indexed as 12 of June.

The time field is ok but _time not.

I add props.conf at app/local on edge server with the following configs but did not resolve

[mbe-cdr]
TIME_PREFIX = \d+:\d+:\d+\,\d+\;
TIME_FORMAT = %d-%m-%Y %H:%M:%S.%Q

Thanks in advance

richgalloway · ‎12-13-2022

The TIME_FORMAT setting looks correct, but for it to be effective it must be on the first Splunk Indexer or Heavy Forwarder that processes the data. It can't hurt to put the props.conf settings in both places. Universal Forwarders will ignore TIME_FORMAT.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ptlemos · ‎12-14-2022

Thanks for the input, configure props.conf on the indexer and solve the problem.

richgalloway · ‎12-13-2022

The TIME_FORMAT setting looks correct, but for it to be effective it must be on the first Splunk Indexer or Heavy Forwarder that processes the data. It can't hurt to put the props.conf settings in both places. Universal Forwarders will ignore TIME_FORMAT.

---
If this reply helps you, Karma would be appreciated.

Why is Splunk is changing day for month?

using Splunk Enterprise

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life