Re: How can I change the date format of search res...

cmartell · ‎02-06-2015

All of my devices send logs to Splunk with date format set at yyyy-mm-dd, as they should, and Splunk reads them fine and displays the correct dates in the search results but in the wrong format. The dates are displayed in the default US format of mm-dd-yyyy. How can I fix this so search results show yyyy-mm-dd?

jolous · ‎03-01-2019

You need to force splunk to use a locale that has the date format you want.
In your case probably en_GB.

Quickfix: You can override the locale in the url - e.g. https://splunk/en-GB/app/search/...
Better fix: The default locale is specified by the browser - e.g. in prioritised order in chrome://settings/languages.
Your problem is probably that your actual preferred language is not supported by splunk, and the first one that in the list that splunk recognises is american english.
Add UK english and place it higher than american english and you should be OK.
Just make sure you remove any hardwired "en-US/" override from your URL.
Proper fix: I cannot think of a single reason why date presentation format should not be made a simple user preference, independently of available translation languages and having to know the obscure techicalities of which locale splunk will actually end up using.

The locales supported by splunk are de_DE, en_GB, en_US, fr_FR, it_IT, ja_JP, ko_KR, zh_CN, and zh_TW.
Source: https://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/Userlanguageandlocale

jolous · ‎03-01-2019

Yes please!
I can not think of a single good reason why the date presentation format used by the GUI is not a user preference in the GUI.

ppablo · ‎02-06-2015

Hi @cmartell

Have you checked out the documentation on configuring proper timestamp recognition at index-time?
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configuretimestamprecognition

ppablo · ‎02-06-2015

Otherwise, you can also do this at search time using eval and its function strptime, but I'm not sure you'd want to do that every time you run a search.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/CommonEvalFunctions

cmartell · ‎02-06-2015

Hi Pablo and thanks for your response.

Splunk isn't having any trouble recognizing time stamps. It reads them fine and displays the correct dates in the search results. The problem is that it displays the dates as mm-dd-yyyy instead of yyyy-mm-dd

cmartell · ‎02-06-2015

Small correction is that the dates are displaying as mm-dd-yy not mm-dd-yyyy

ppablo · ‎02-06-2015

are the dates appearing in the raw event as mm-dd-yy or just the table in your search results? This section of the documentation might give you some hints on where to look where the issue might be
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configuretimestamprecognition#Configure_how_t...

cmartell · ‎02-06-2015

In the Time column I am seeing mm-dd-yy and would like to see yyyy-mm-dd. In the Event column I see mmm dd which is fine.

I have created a props.conf file in the local folder with this text and it didn't help:
[splunkd]
TIME_FORMAT = %Y-%m-%d %H:%M:%S

jaqb · ‎04-07-2016

Any successes ?

I also would like have natural (yyyy-mm-dd) date in search results.

cmartell · ‎04-07-2016

No success yet. This is something Splunk needs to do. It is the International Standard Date Notation after all.

How can I change the date format of search results?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)