I just started logging DNS debug logs from windows DNS servers. With the filename dns.log it is nicely identified as sourcetype=dns.
Timestamps are in the format 3/31/2011
Timestamp translation behaved as expected at first, but it seems that when i parsed a log file that was too far in the past (maybe +7 days?) splunk decided to reverse the order of month and year.
I kinda get why... It is just guess and has to go with it's gut. If the day is not more than 12, the month and day are ambiguous if too far in the past.
Does anyone already have knowhow and pattern to specify this format manually?
"4/8/2011 1:10:57 PM"
asked 09 Apr '11, 04:29
Try adding a stanza to
The docs cover TIME_FORMAT at http://www.splunk.com/base/Documentation/latest/Data/Configuretimestamprecognition
answered 09 Apr '11, 14:19