- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can you parse time from events created from alert ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you parse time from events created from alert actions?
Hello,
I am struggling to figure out why I can't parse the time correctly from an event created as part of an alert. It was working until October 1st with the day formatted in European time. But once October first started, Splunk began parsing the date as american vs european (1/10/2018 as January 10th). I have tested building a parser in a test instance with a text file and data input and it knows how to parse the date.
The search is setup as followed:
| eval a_time=strftime(latest,"%H:%M:%S %Z %d/%m/%Y")
and the output looks as such when an alert logs the event to the index:
$results.a_time$ ....
10:42:46 CEST 03/10/2018 .... Splunk shows this as March 10th.
The alerts go into the alerts_all index with a sourcetype of alert.
I figured I could create a props.conf file on my indexer to parse that date to make sure Splunk knows it is European but it isn't working.
I am not sure if it's possible to parse an event from an alert before it is indexed.
I have the props.conf file setup as the following.
[ alert ]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%H:%M:%S CEST %d/%m/%Y
TZ=Europe/Amsterdam
CHARSET=UTF-8
disabled=false
As a side note it works when I do but I am trying to figure out why the previously described method doesn't work.
| eval time_now=now()
| eval time=strftime(time_now,"%Y-%m-%dT%H:%M:%S%z")
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It think the issue lies in the stanza definition. I had very bad experience with whitespaces in it.
Just try [alert]as stanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hurricane13,
Here I am assuming that you are sending events from Search Head to Indexer. If that is the case then put props.conf on Search Head and not on Indexer because parsing will do on first full enterprise instance and in this case it is search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah yes, it is a distributed environment where I have it set to forward to Index Cluster and have indexAndForward set to false. I did also put it on the Search Head Cluster from the Deployer and checked to make sure it was there. See below for the btool from one of the Search Heads
[splunk bin]$ splunk cmd btool props list --debug | grep volumes_base
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf [ alert ]
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf CHARSET = UTF-8
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf NO_BINARY_CHECK = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf SHOULD_LINEMERGE = true
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TIME_FORMAT = %H:%M:%S CEST %d/%m/%Y
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf TZ = Europe/Amsterdam
/opt/splunk/searchhead/etc/apps/volumes_base/default/props.conf disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this still an issue?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
