×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Ognib
Explorer
Member since: ‎10-29-2020
‎05-12-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎10-29-2020
Activity Feed
View All

Re: UK dates recognised as US until 10th of the mo...

by in Getting Data In
‎10-29-2020 06:33 AM
‎10-29-2020 06:33 AM
Hi Giuseppe Thanks for the reply. The props.conf is identical on both UF and Indexer. We don't have any heavy forwarders.  I had thought I had read somewhere that it needed to be the same on both UF and Indexer, but I will try removing from the UF props.conf file.    Thanks ... View more

Re: UK dates recognised as US until 10th of the mo...

by in Getting Data In
‎10-29-2020 06:12 AM
‎10-29-2020 06:12 AM
Here's a couple of lines (redacted) from the file to show date format as recorded 01/10/2020         00:01:47               Microsoft-Windows-Security-Auditing    4672       8              12548 01/10/2020         00:01:47               Microsoft-Windows-Security-Auditing    4672       8              12548    ... View more

UK dates recognised as US until 10th of the month

by in Getting Data In
‎10-29-2020 06:10 AM
‎10-29-2020 06:10 AM
Hi All I am trying to index some log files that have been converted to tab delimited text files. These are being picked up by a Universal Forwarder and forwarded to a one-box Splunk Enterprise server.  Splunk is ingesting them ok but it is indexing the UK dates dd/mm/yyyy as US format mm/dd/yyyy for all dates up to the 10th of each month.  So, for October 8th (08/10/2020) for example I have no events indexed. The events collected on the 8th October have been indexed as August 10th.  So far I have changed props.conf on both UF and Splunk Enterprise to look like this [SourceType] NO_BINARY_CHECK = 1 TIME_PREFIX = ^ TIME_FORMAT = %d/%m/%Y %H:%M:%S I have also set the SourceType within Splunk to use Timezone = GMT Timestamp format = %d/%m/%Y %H:%M:%S Timestamp Prefix = ^ Any ideas where I am going wrong?  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-12-2025 07:13 AM
Karma given to
View All