Sorry if this has been asked before but I could do with a quick straightforward answer for this one.
We have a text based logfile which has each line starting with dd/MM/yy - HH:mm:ss (05/08/11 - 09:51:32)
The problem is that splunk is reading the date as MM/dd/yy, so our logs are all over the place, over the last 3 days we now have logs for 8th march, 8th april, and 8th may....
The logs are collected by a Universal forwarder on a windows server.
Which config file do I need to edit and what do I need to edit it with to get this to start parsing the date correctly?
Many Thanks, Fraser
asked 05 Aug '11, 01:54
The file to edit or add is
Let's say the sourcetype for your log is "mylog". In that case you'll need to add this to
These changes will take effect on new events that are indexed after restarting Splunk.
answered 05 Aug '11, 02:04