Documentation > Splunk > Admin Manual > Recognize European date format

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Recognize European date format

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Recognize European date format

By default, timestamps in Splunk follow the convention of MM/DD/YYYY:HH:MM:SS. Configure Splunk to use the European date format for timestamps, either permanently (by editing literals.conf) or temporarily (search-by-search basis) by using the timeformat search modifier.

Note: The only European date format that Splunk currently supports swaps %m and %d (DD/MM/YYYY:HH:MM:SS). Any other changes to the date string format may cause significant errors in Splunk Web.


Configure European date format in literals.conf

Configure the date format in literals.conf using the SEARCH_TERM_TIME_FORMAT key. This key changes the format used by search modifiers, search terms, and Splunk Web. Configure your timestamps permanently by changing the string value of the SEARCH_TERM_TIME_FORMAT key.

Use $SPLUNK_HOME/etc/system/README/literals.conf.example as an example, or create your own literals.conf. Make any configuration changes to a copy of literals.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Default: 

[ui]
SEARCH_TERM_TIME_FORMAT=%m/%d/%Y:%H:%M:%S
SEARCH_RESULTS_TIME_FORMAT = %m/%d/%Y %H:%M:%S

European date format: 

[ui]
SEARCH_TERM_TIME_FORMAT= %d/%m/%Y:%H:%M:%S
SEARCH_RESULTS_TIME_FORMAT = %d/%m/%Y %H:%M:%S

Note: You may have to clear your browser's cache to see the result of this change.

Use the timeformat modifier

Use the timeformat search modifier to set timestamps to European format for a single search. Splunk timestamps have a the format timeformat=%m/%d/%Y:%H:%M:%S by default. Set European date format by swapping  %m and %d in the argument string.

Note: timeformat temporarily overrides the SEARCH_TERM_TIME_FORMAT= setting in literals.conf.

Example

Use timeformat as an argument to the search command or in Splunk Web's search bar.

timeformat=%d/%m/%Y:%H:%M:%S
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3.2/Admin/RecognizeEuropeanDateFormat"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!