- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk date format different to event date format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk date format different to event date format
Apologies if this has been answered before.
New install of Splunk 4.2.2. We require the Europian date format (dd/mm/yyyy) which we overcome by using this URL: http://splunk:8000/en-GB
This formats most dates correctly except that there is a difference between the date that splunk search displays which is correct and the date displayed in the actual WinEventLog which is incorrect (mm/dd/yyyy).
We have one indexer and mutliple Universal Forwarders (all 4.2.2) configured with a Deployment Server. Everything is running on Windows.
How do I fix this? Is it a setting on the forwarders or the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then I assume that Windows internally keeps the US format of the date notations, and that the "Regional Settings" are applied when data is presented to the user (e.g. Event Viewer).
It's my guess that Splunk pulls the log files in the native format, regardless of the "Regional Settings". Do you really NEED to change it, or is it just that you want to eliminate any possible sources of confusion, by having the date recorded in the same (European) manner across all log files?
Perhaps there is a way around that, of which I am not aware, but tampering with the log files may be unwise, if the logs should need to be presented as evidence in court - even if rearranging the timestamp may seem like a small alteration. Then again, I am not a lawyer, but there is a reason why log centralization tools often boast that "log files are kept in their original format", "tamper-proof storage" etc etc.
Sorry that my previous answer was wrong.
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
This has nothing to do with Splunk at all. It only shows that Splunk is able to parse "incorrect" (or rather "different") date notations and present them to you in the desired format dd/mm/yyyy.
If you want to change the date format within an event, you should go to the source, i.e. configure each Windows instance to use a different locale setting. This will affect more than just the date format though. I'm not a Windows administrator, but if I remember it correctly changing locale settings will also give you different notations for time (AP-PM vs 24hr clock), numbers (whether to use dots or commas as a separator) 1,000 vs 1.000 for one thousand etc etc.
See the "Regional Settings" in the Control Panel in Windows (for XP that is, probably similar in other variants).
Hope this helps.
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks very much for your response.
All of our servers are set correctly for Europian date (Australia actually). The local event viewers display the date correctly in the logs also. I checked Regional Settings and all settings are set for dd/mm/yyy.
Has anyone else ever come accross this issue and resolved it?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
