Recognize European date format

Recognize European date format

By default, timestamps in Splunk follow the convention of MM/DD/YYYY:HH:MM:SS. Configure Splunk to use the European date format for timestamps, either permanently (by editing literals.conf) or temporarily (search-by-search basis) by using the timeformat search modifier.

Note: The only European date format that Splunk currently supports swaps %m and %d (DD/MM/YYYY:HH:MM:SS). Any other changes to the date string format may cause significant errors in Splunk Web.

Configure European date format in literals.conf

Configure the date format in literals.conf using the SEARCH_TERM_TIME_FORMAT key. This key changes the format used by search modifiers, search terms, and Splunk Web. Configure your timestamps permanently by changing the string value of the SEARCH_TERM_TIME_FORMAT key.

Use $SPLUNK_HOME/etc/system/README/literals.conf.example as an example, or create your own literals.conf. Make any configuration changes to a copy of literals.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Default:

[ui]
SEARCH_TERM_TIME_FORMAT=%m/%d/%Y:%H:%M:%S
SEARCH_RESULTS_TIME_FORMAT = %m/%d/%Y %H:%M:%S

European date format:

[ui]
SEARCH_TERM_TIME_FORMAT= %d/%m/%Y:%H:%M:%S
SEARCH_RESULTS_TIME_FORMAT = %d/%m/%Y %H:%M:%S

Note: You may have to clear your browser's cache to see the result of this change.

Use the timeformat modifier

Use the timeformat search modifier to set timestamps to European format for a single search. Splunk timestamps have a the format timeformat=%m/%d/%Y:%H:%M:%S by default. Set European date format by swapping  %m and %d in the argument string.

Note: timeformat temporarily overrides the SEARCH_TERM_TIME_FORMAT= setting in literals.conf.

Example

Use timeformat as an argument to the search command or in Splunk Web's search bar.