Solved: Re: _time improper format

kannu · ‎03-01-2018

Hello splunkers,

I have logs in my file
01-03-2018 15:54:58 WARNING [PID:88888][TradeId:11551427] /apps/abcrc/src/check/src/mx_rtpr.cpp:1146 - Sanity Check Exception void sanity_check(void*, rtPRICING_API_LIBRARY*)@/apps/abcrc/Flex/src/mx_rtpr.cpp:1034:End date not equal to option expiry date

that log is of 1st march 2018 but splunk has taken it as a log of 3 January 2018 , please suggest how to manipulate _time field so that my new data or existing data will come in proper time format .

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

View solution in original post

493669 · ‎03-01-2018

Include TIME_FORMAT in props.conf

[sourcetype_name]
TIME_FORMAT = %d-%m-%Y %H:%M:%S

skoelpin · ‎03-01-2018

It would also be good to specify TIME_PREFIXand MAX_TIMESTAMP_LOOKAHEAD so splunk knows where the timestamp is located

[sourcetype_name]
TIME_PREFIX = ^
TIME_FORMAT = %d-%m-%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20

_time improper format

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation