Hi,
Sorry if this has been asked before but I could do with a quick straightforward answer for this one.
We have a text based logfile which has each line starting with dd/MM/yy - HH:mm:ss (05/08/11 - 09:51:32)
The problem is that splunk is reading the date as MM/dd/yy, so our logs are all over the place, over the last 3 days we now have logs for 8th march, 8th april, and 8th may....
The logs are collected by a Universal forwarder on a windows server.
Which config file do I need to edit and what do I need to edit it with to get this to start parsing the date correctly?
Many Thanks,
Fraser
The file to edit or add is props.conf
(for instance in $SPLUNK_HOME/etc/system/local
).
Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to props.conf
:
[mylog]
TIME_FORMAT = %d/%m/%y - %H:%M:%S
These changes will take effect on new events that are indexed after restarting Splunk.
The file to edit or add is props.conf
(for instance in $SPLUNK_HOME/etc/system/local
).
Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to props.conf
:
[mylog]
TIME_FORMAT = %d/%m/%y - %H:%M:%S
These changes will take effect on new events that are indexed after restarting Splunk.
Just to update.. I got it working by replacing the drive letter in the source.
[source::...MGR1.1\system\SYSTEM.LOG]
in your case , props.conf should be put on indexer not on UF
(http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F )
Thanks for the quick response. I have just tried that however the latest logs are still coming in with the incorrect date.
I restarted both splunk server and the universal forwarder.
Should the .conf file be put on the splunk server or the server with the universal forwarder? or both?
I have put this in the props file.
[source::V:\MGR1.1\system\SYSTEM.LOG]
TIME_FORMAT = %d/%m/%y - %H:%M:%S