I know there have been other questions asked about splunk parsing dates. However, I have what appears to be a unique situation where I do not understand how Splunk is interpreting dates.
I have the following log entries:
Why is Splunk tagging the log entry as "06/12/11" when the log date is actually "3/6/12"?
Why is - Because Splunk sees the first date as the timestamp. But don't worry, you can easily fix that. I assume that the sourcetype for this data is RulesOnline. In $SPLUNK_HOME/etc/system/local/props.conf, put
This tells Splunk that the timestamp appears AFTER the first [ and that the timestamp appears within the first 60 characters of the event. When there are multiple strings that could be interpreted as timestamps, you sometimes need to give Splunk a little help to pick the right one.
There is more info in the manual here.
answered 08 Mar '12, 07:27