Our data input contains two timestamp fields — creation_time and modification_time — both formatted in line with ISO 8601 (yyyy/mm/dd hh:mm:ss.ms).
Splunk parses modification_time as _time but, in doing so, it applies the system-default timestamp format, in our case the British one (dd/mm/yyyy hh:mm:ss.ms).
Is there any way that we can either:
Is your visualisation 'Events' or 'Stats Table'? Should work for Stats table view but if that view doesn't work for you then you could cheat a little.
| eval _time = modification_time
You can play with the time formatting with eval strptime (convert to unixtime) and feed that to strftime (format it the way you want) , but it may be more hassle then its worth.
Ah, it's an events table. Sorry, I forgot that there was another.
Unfortunately, "eval _time = modification_time " doesn't make a difference - the format stays the same. I supposed that's to be expected, though, as _time is originally derived from modification_time anyway. It's like _time has a hardcoded regional time format or something.
Sorry but that's all the tricks I know, not sure if there is something on the backend that can override it. Any of these recommendations I have sent have worked in my environment, but I'm not an admin so unsure of the backend wizardry.