The following is my search and its result:
Search 1:
earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABCsWin("XYZ","abc12345678")`
Result 1:
No results found.
Time format used in earliest and latest: DDMMYYYY
Search 2:
earliest="08/01/2016:00:00:01" latest="08/01/2016:23:59:59" `getABCsWin("XYZ","abc12345678")`
Result 2: Expected result acquired.
Time format used in earliest and latest: MMDDYYYY
Now we have been using search 1 from long time to get the details and recently search 1 wasn't displaying any results, so we observed some deviation on Splunk search i.e; instead of our default format which was DDMMYYYY events were indexing with the wrong format i.e; MMDDYYYY. So **how can we get the result 2 for the search 1** like before?
**Events were as follows:**
8/1/16
4:08:08.000 PM
Valid
08/01/2016 04:08:08 PM
... 12 lines omitted ...
Expected changes for the above events to get it resolved:
1/8/16
4:08:08.000 PM
Valid
01/08/2016 04:08:08 PM
... 12 lines omitted ...
Here am just looking to change the Date format from MMDDYYYY to DDMMYYYY to get the expected result.
Is it something to be done on props.conf in Splunk or in the default log format?
Sorry if I made you confused with my language.
↧