Getting Data In

Can you parse time from events created from alert actions?

hurricane13
Engager

Hello,

I am struggling to figure out why I can't parse the time correctly from an event created as part of an alert. It was working until October 1st with the day formatted in European time. But once October first started, Splunk began parsing the date as american vs european (1/10/2018 as January 10th). I have tested building a parser in a test instance with a text file and data input and it knows how to parse the date.

The search is setup as followed:
| eval a_time=strftime(latest,"%H:%M:%S %Z %d/%m/%Y")
and the output looks as such when an alert logs the event to the index:

$results.a_time$ ....

10:42:46 CEST 03/10/2018 .... Splunk shows this as March 10th.

The alerts go into the alerts_all index with a sourcetype of alert.

I figured I could create a props.conf file on my indexer to parse that date to make sure Splunk knows it is European but it isn't working.

I am not sure if it's possible to parse an event from an alert before it is indexed.

I have the props.conf file setup as the following.

[ alert ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%H:%M:%S CEST %d/%m/%Y
TZ=Europe/Amsterdam
CHARSET=UTF-8
disabled=false

As a side note it works when I do but I am trying to figure out why the previously described method doesn't work.

| eval time_now=now()
| eval time=strftime(time_now,"%Y-%m-%dT%H:%M:%S%z")

Thanks!

0 Karma

markusspitzli
Communicator

It think the issue lies in the stanza definition. I had very bad experience with whitespaces in it.
Just try [alert]as stanza

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @hurricane13,

Here I am assuming that you are sending events from Search Head to Indexer. If that is the case then put props.conf on Search Head and not on Indexer because parsing will do on first full enterprise instance and in this case it is search head.

hurricane13
Engager

Ah yes, it is a distributed environment where I have it set to forward to Index Cluster and have indexAndForward set to false. I did also put it on the Search Head Cluster from the Deployer and checked to make sure it was there. See below for the btool from one of the Search Heads

[splunk bin]$ splunk cmd btool props list --debug | grep volumes_base

/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf [ alert ]
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf CHARSET = UTF-8
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf NO_BINARY_CHECK = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf SHOULD_LINEMERGE = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TIME_FORMAT = %H:%M:%S CEST %d/%m/%Y
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TZ = Europe/Amsterdam
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf disabled = false

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is this still an issue?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!