Solved: Why is Splunk is changing day for month?

ptlemos · ‎12-13-2022

Hi,

i have an edge server with splunk forward to ship log file to indexer.

The log is being indexed but splunk is changing days for months.

The events start with the example

17:00:16,965;06-12-2022 17:00:16.740;10.129.150.83;

This event is from 6 of december but is indexed as 12 of June.

The time field is ok but _time not.

I add props.conf at app/local on edge server with the following configs but did not resolve

[mbe-cdr]
TIME_PREFIX = \d+:\d+:\d+\,\d+\;
TIME_FORMAT = %d-%m-%Y %H:%M:%S.%Q

Thanks in advance

richgalloway · ‎12-13-2022

The TIME_FORMAT setting looks correct, but for it to be effective it must be on the first Splunk Indexer or Heavy Forwarder that processes the data. It can't hurt to put the props.conf settings in both places. Universal Forwarders will ignore TIME_FORMAT.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ptlemos · ‎12-14-2022

Thanks for the input, configure props.conf on the indexer and solve the problem.

richgalloway · ‎12-13-2022

The TIME_FORMAT setting looks correct, but for it to be effective it must be on the first Splunk Indexer or Heavy Forwarder that processes the data. It can't hurt to put the props.conf settings in both places. Universal Forwarders will ignore TIME_FORMAT.

---
If this reply helps you, Karma would be appreciated.

Why is Splunk is changing day for month?

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?