Splunk Search

How can I change the date format of search results?

cmartell
Explorer

All of my devices send logs to Splunk with date format set at yyyy-mm-dd, as they should, and Splunk reads them fine and displays the correct dates in the search results but in the wrong format. The dates are displayed in the default US format of mm-dd-yyyy. How can I fix this so search results show yyyy-mm-dd?

Tags (2)

jolous
Engager

You need to force splunk to use a locale that has the date format you want.
In your case probably en_GB.

  • Quickfix: You can override the locale in the url - e.g. https://splunk/en-GB/app/search/...

  • Better fix: The default locale is specified by the browser - e.g. in prioritised order in chrome://settings/languages.
    Your problem is probably that your actual preferred language is not supported by splunk, and the first one that in the list that splunk recognises is american english.
    Add UK english and place it higher than american english and you should be OK.
    Just make sure you remove any hardwired "en-US/" override from your URL.

  • Proper fix: I cannot think of a single reason why date presentation format should not be made a simple user preference, independently of available translation languages and having to know the obscure techicalities of which locale splunk will actually end up using.

The locales supported by splunk are de_DE, en_GB, en_US, fr_FR, it_IT, ja_JP, ko_KR, zh_CN, and zh_TW.
Source: https://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Userlanguageandlocale

jolous
Engager

Yes please!
I can not think of a single good reason why the date presentation format used by the GUI is not a user preference in the GUI.

0 Karma

ppablo
Retired

Hi @cmartell

Have you checked out the documentation on configuring proper timestamp recognition at index-time?
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configuretimestamprecognition

0 Karma

ppablo
Retired

Otherwise, you can also do this at search time using eval and its function strptime, but I'm not sure you'd want to do that every time you run a search.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/CommonEvalFunctions

0 Karma

cmartell
Explorer

Hi Pablo and thanks for your response.

Splunk isn't having any trouble recognizing time stamps. It reads them fine and displays the correct dates in the search results. The problem is that it displays the dates as mm-dd-yyyy instead of yyyy-mm-dd

0 Karma

cmartell
Explorer

Small correction is that the dates are displaying as mm-dd-yy not mm-dd-yyyy

0 Karma

ppablo
Retired

are the dates appearing in the raw event as mm-dd-yy or just the table in your search results? This section of the documentation might give you some hints on where to look where the issue might be
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configuretimestamprecognition#Configure_how_t...

0 Karma

cmartell
Explorer

In the Time column I am seeing mm-dd-yy and would like to see yyyy-mm-dd. In the Event column I see mmm dd which is fine.

I have created a props.conf file in the local folder with this text and it didn't help:
[splunkd]
TIME_FORMAT = %Y-%m-%d %H:%M:%S

0 Karma

jaqb
New Member

Any successes ?

I also would like have natural (yyyy-mm-dd) date in search results.

0 Karma

cmartell
Explorer

No success yet. This is something Splunk needs to do. It is the International Standard Date Notation after all.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...