Getting Data In

Can you parse time from events created from alert actions?



I am struggling to figure out why I can't parse the time correctly from an event created as part of an alert. It was working until October 1st with the day formatted in European time. But once October first started, Splunk began parsing the date as american vs european (1/10/2018 as January 10th). I have tested building a parser in a test instance with a text file and data input and it knows how to parse the date.

The search is setup as followed:
| eval a_time=strftime(latest,"%H:%M:%S %Z %d/%m/%Y")
and the output looks as such when an alert logs the event to the index:

$results.a_time$ ....

10:42:46 CEST 03/10/2018 .... Splunk shows this as March 10th.

The alerts go into the alerts_all index with a sourcetype of alert.

I figured I could create a props.conf file on my indexer to parse that date to make sure Splunk knows it is European but it isn't working.

I am not sure if it's possible to parse an event from an alert before it is indexed.

I have the props.conf file setup as the following.

[ alert ]

As a side note it works when I do but I am trying to figure out why the previously described method doesn't work.

| eval time_now=now()
| eval time=strftime(time_now,"%Y-%m-%dT%H:%M:%S%z")


0 Karma


It think the issue lies in the stanza definition. I had very bad experience with whitespaces in it.
Just try [alert]as stanza

0 Karma


Hi @hurricane13,

Here I am assuming that you are sending events from Search Head to Indexer. If that is the case then put props.conf on Search Head and not on Indexer because parsing will do on first full enterprise instance and in this case it is search head.


Ah yes, it is a distributed environment where I have it set to forward to Index Cluster and have indexAndForward set to false. I did also put it on the Search Head Cluster from the Deployer and checked to make sure it was there. See below for the btool from one of the Search Heads

[splunk bin]$ splunk cmd btool props list --debug | grep volumes_base

/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf [ alert ]
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf CHARSET = UTF-8
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf NO_BINARY_CHECK = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf SHOULD_LINEMERGE = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TIME_FORMAT = %H:%M:%S CEST %d/%m/%Y
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TZ = Europe/Amsterdam
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf disabled = false

0 Karma


Is this still an issue?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...