Splunk Search

Splunk date format different to event date format

Explorer

Apologies if this has been answered before.

New install of Splunk 4.2.2. We require the Europian date format (dd/mm/yyyy) which we overcome by using this URL: http://splunk:8000/en-GB

This formats most dates correctly except that there is a difference between the date that splunk search displays which is correct and the date displayed in the actual WinEventLog which is incorrect (mm/dd/yyyy).

We have one indexer and mutliple Universal Forwarders (all 4.2.2) configured with a Deployment Server. Everything is running on Windows.

How do I fix this? Is it a setting on the forwarders or the indexer?

Tags (1)
0 Karma

Ultra Champion

Then I assume that Windows internally keeps the US format of the date notations, and that the "Regional Settings" are applied when data is presented to the user (e.g. Event Viewer).

It's my guess that Splunk pulls the log files in the native format, regardless of the "Regional Settings". Do you really NEED to change it, or is it just that you want to eliminate any possible sources of confusion, by having the date recorded in the same (European) manner across all log files?

Perhaps there is a way around that, of which I am not aware, but tampering with the log files may be unwise, if the logs should need to be presented as evidence in court - even if rearranging the timestamp may seem like a small alteration. Then again, I am not a lawyer, but there is a reason why log centralization tools often boast that "log files are kept in their original format", "tamper-proof storage" etc etc.

Sorry that my previous answer was wrong.

Kristian

0 Karma

Ultra Champion

Hello

This has nothing to do with Splunk at all. It only shows that Splunk is able to parse "incorrect" (or rather "different") date notations and present them to you in the desired format dd/mm/yyyy.

If you want to change the date format within an event, you should go to the source, i.e. configure each Windows instance to use a different locale setting. This will affect more than just the date format though. I'm not a Windows administrator, but if I remember it correctly changing locale settings will also give you different notations for time (AP-PM vs 24hr clock), numbers (whether to use dots or commas as a separator) 1,000 vs 1.000 for one thousand etc etc.

See the "Regional Settings" in the Control Panel in Windows (for XP that is, probably similar in other variants).

Hope this helps.

Kristian

0 Karma

Explorer

Thanks very much for your response.

All of our servers are set correctly for Europian date (Australia actually). The local event viewers display the date correctly in the logs also. I checked Regional Settings and all settings are set for dd/mm/yyy.

Has anyone else ever come accross this issue and resolved it?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!