All Apps and Add-ons

New Time Format has Z on the end. Did you mean %Z for timezone recognition??

TWiseOne
Path Finder

I am using the "Microsoft Office 365 Reporting Add-on for Splunk" (https://splunkbase.splunk.com/app/3720/#/details):

We recently had an issue where, for some reason them timestamp recognition from 1.0 broke and all events were just getting the time of the pull as the time. This was down to the time configuration being applied to a sourcetype that our data was not being ingested against, and the sourcetype it was ingested against didn't define any specific time config. I can see that has now changed and it's all been placed into a single sourcetype with the time formatting.

However, when reviewing the new 1.0.1 props.conf vs the 1.0 props.conf I can see the time format is different:

v1.0 = TIME_FORMAT = %Y-%m-%dT%H:%M:%S
v1.0.1 = TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ

I can't see anything on http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Commontimeformatvariables that would show me what the addition of the Z will do. There is a %Z for time zone recognition but our data does not contain this so is still not likely to work.

I do have a change window tonight and have removed the Z from the configuration, I just wanted to see if there was a valid use of the Z when none of the data I am seeing has this at the end of the timestamp after "DateReceived: "

TIA

0 Karma
1 Solution

TWiseOne
Path Finder

As suspected the answer was to remove the Z from the end.

Frustratingly I can't see a way to inform the developers so anyone viewing this, please remove the Z if your data does NOT have a timezone setting at the end and add a %Z if there is.

View solution in original post

0 Karma

TWiseOne
Path Finder

As suspected the answer was to remove the Z from the end.

Frustratingly I can't see a way to inform the developers so anyone viewing this, please remove the Z if your data does NOT have a timezone setting at the end and add a %Z if there is.

0 Karma

tiagofbmm
Influencer

Hi

Please check this document where it states that %Z (not just "Z" gives an abbreviated TimeZone Indicator: The timezone abbreviation. For example EST for US Eastern Standard Time)

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Commontimeformatvariables

0 Karma

TWiseOne
Path Finder

Tiago, I am not sure you read my question completely. I know that the variable is %Z for timezone, however the props.conf in the new release (1.0.1), which apparently fixes timestamp errors, only has Z which according to the same document you and I refer to DOES NOT match a splunk recognised time variable.

My question is more to the developer wondering if they made a mistake or if there is something I am missing. I have removed it from the new config until I can get an understanding of what, if anything, the Z does at the end of the TIME_FORMAT.

Happy to discuss, but I think you missed my point?

0 Karma

tiagofbmm
Influencer

What is that new release 1.0.1 of props ? Release of what exactly?

Who added that "Z" in the end without anything else? Where is that coming from?

0 Karma

TWiseOne
Path Finder

Tiago, sorry to be blunt but I raised the question under the "Microsoft Office 365 Reporting Add-on for Splunk" banner so sorry if this was not clear ( I will edit just to avoid any doubt ).

The app is https://splunkbase.splunk.com/app/3720/#/details incase you wanted to download the 2 versions and verify my findings. If invalid then please let me know your thoughts and we can discuss accordingly.

0 Karma

tiagofbmm
Influencer

Pardon the misunderstanding, I should have noticed that too.

I would say you found a bug there. That Z has no documentation about it so probably a mistake there.

Ultimately you can do a test yourself with that TIME_FORMAT but according to Splunk docs that is not recognized.

Hope I helped anyway

0 Karma

TWiseOne
Path Finder

Thanks for validating my thoughts Tiago, it's appreciated.

I can't see any way of raising a bug report with this app, except on here. I can see it was developed by SplunkWorks but I can't see any contact details.

I will see if I get any responses from the developer on here, otherwise I will try raise it through additional channels.

Thank you for offering assistance, hopefully the developer can see and fix the issue asap.

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

TWiseOne
Path Finder

Tiago, I do love a tryer!

It was a bug and my proposed solution in the initial question worked and the logs are now being indexed with the correct timestamp. There doesn't appear to be a way to initiate a change with the developers but hey, hopefully anyone with the same issue will see this.

However you didn't answer my question or add any additional information I didn't already call out in the question. Your first couple of comments made me wonder if you had even read it completely. I know we get points for answers and upvotes but I am afraid this time it is not warranted.

Thanks for trying.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...