Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk parsing date incorrectly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry if this has been asked before but I could do with a quick straightforward answer for this one.
We have a text based logfile which has each line starting with dd/MM/yy - HH:mm:ss (05/08/11 - 09:51:32)
The problem is that splunk is reading the date as MM/dd/yy, so our logs are all over the place, over the last 3 days we now have logs for 8th march, 8th april, and 8th may....
The logs are collected by a Universal forwarder on a windows server.
Which config file do I need to edit and what do I need to edit it with to get this to start parsing the date correctly?
Many Thanks,
Fraser
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file to edit or add is props.conf (for instance in $SPLUNK_HOME/etc/system/local).
Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to props.conf:
[mylog]
TIME_FORMAT = %d/%m/%y - %H:%M:%S
These changes will take effect on new events that are indexed after restarting Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file to edit or add is props.conf (for instance in $SPLUNK_HOME/etc/system/local).
Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to props.conf:
[mylog]
TIME_FORMAT = %d/%m/%y - %H:%M:%S
These changes will take effect on new events that are indexed after restarting Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to update.. I got it working by replacing the drive letter in the source.
[source::...MGR1.1\system\SYSTEM.LOG]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in your case , props.conf should be put on indexer not on UF
(http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response. I have just tried that however the latest logs are still coming in with the incorrect date.
I restarted both splunk server and the universal forwarder.
Should the .conf file be put on the splunk server or the server with the universal forwarder? or both?
I have put this in the props file.
[source::V:\MGR1.1\system\SYSTEM.LOG]
TIME_FORMAT = %d/%m/%y - %H:%M:%S
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
