Sourcetype started indexing to wrong date - MDY to YMD

Hi All,

I recently started having an issue with a few of my sourcetypes where they are logging to the wrong date. These sourcetypes were working fine for the last year and I have not found any changes that have been made.

The file being indexed is named like - /oltp080813.log as in Aug, 8th 2013. No date value is in the file being indexed.

An example of one of the events is: FINER | 07:56:37.929 | 1375966597928 | [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'

Splunk is correctly identifying the time values which I verified with timestartpos and timeendpos. The date however is now being parsed as Aug, 13th 2008 rather than Aug, 8th 2013. This started on 08/02/2013 (which was indexed as 02/13/08).

What I believe is happening is that starting right after 08/01/2013 @ 23:59:59 (last properly indexed event) splunk started interpreting my filename of oltp080813 to be a YMD date format rather than a MDY format. I have no idea why this just started happening and I have not been able to find anything in the splunk documentation that specifically outlines how I can modify my sourcetype(s) to use a different date format when pulling the date info from the file name.

I am open to other solutions as well but I have many sourcetypes on this server that are still working so I am hesitant to set any global parameters.

I have seen it suggested elsewhere that you can specifically tell splunk in props.conf to use the current date/time for a given sourcetype using DATETIME_CONFIG = CURRENT. As a last resort I could do this but I would rather continue to use the time value that exists in the files I am indexing as those are still being indexed correctly.

I have also read through the precedent docs here: http://splunk-base.splunk.com/answers/24275/how-does-splunk-get-date-from-file

1. If no events in a source have a time or date, look in the source (or file) name.
2. For file sources, if no time or date can be identified in the file name, use the modification time on the file.

The problem I am having is that the date IS identified in the file (just incorrectly as YMD rather than MDY) therefore the modification date of the file won't be used.

I am currently running v4.3.5 build 140437 of Splunk and am using heavy forwarders to forward to the indexer.

In addition to any potential solutions I would be grateful for anybody's thoughts as to how or why this just started happening all of the sudden.

Thanks!