<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How do I deal with inconsistent time formats from Microsoft Azure? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-deal-with-inconsistent-time-formats-from-Microsoft/m-p/694899#M115442</link>
    <description>&lt;P&gt;Does Splunk parse the time correctly on its own? Try comparing the extracted time of the event with the time in the raw text of the event.&lt;/P&gt;&lt;P&gt;If they are the same and/or adjusted for timezone, then you are good to go.&lt;/P&gt;&lt;P&gt;If they are consistently different with one or more hours between them, then it is likely a timezone issue that can be fixed using props.conf&lt;/P&gt;&lt;P&gt;If they are variably different, then it could be a timestamp extraction issue.&lt;/P&gt;</description>
    <pubDate>Wed, 31 Jul 2024 19:19:22 GMT</pubDate>
    <dc:creator>marnall</dc:creator>
    <dc:date>2024-07-31T19:19:22Z</dc:date>
    <item>
      <title>How do I deal with inconsistent time formats from Microsoft Azure?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-deal-with-inconsistent-time-formats-from-Microsoft/m-p/694721#M115431</link>
      <description>&lt;P&gt;When ingesting Microsoft Azure data, we see different time formats for different Azure categories, and I wonder how to parse it correctly? Both timezones seem to be UTC. Is the proper approach to set&amp;nbsp;&lt;/P&gt;
&lt;PRE&gt;TZ=UTC&lt;/PRE&gt;
&lt;P&gt;and specify in datetime.xml the two formats?&lt;/P&gt;
&lt;LI-CODE lang="markup"&gt;{ 
   category: NonInteractiveUserSignInLogs
   time: 2024-07-30T18:02:42.0324621Z

. . .

}

{

   category: RiskyUsers
   time: 7/30/2024 1:48:56 PM

. . .

}&lt;/LI-CODE&gt;</description>
      <pubDate>Wed, 31 Jul 2024 22:17:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-deal-with-inconsistent-time-formats-from-Microsoft/m-p/694721#M115431</guid>
      <dc:creator>danielbb</dc:creator>
      <dc:date>2024-07-31T22:17:30Z</dc:date>
    </item>
    <item>
      <title>Re: How do I deal with inconsistent time formats from Microsoft Azure?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-deal-with-inconsistent-time-formats-from-Microsoft/m-p/694899#M115442</link>
      <description>&lt;P&gt;Does Splunk parse the time correctly on its own? Try comparing the extracted time of the event with the time in the raw text of the event.&lt;/P&gt;&lt;P&gt;If they are the same and/or adjusted for timezone, then you are good to go.&lt;/P&gt;&lt;P&gt;If they are consistently different with one or more hours between them, then it is likely a timezone issue that can be fixed using props.conf&lt;/P&gt;&lt;P&gt;If they are variably different, then it could be a timestamp extraction issue.&lt;/P&gt;</description>
      <pubDate>Wed, 31 Jul 2024 19:19:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-deal-with-inconsistent-time-formats-from-Microsoft/m-p/694899#M115442</guid>
      <dc:creator>marnall</dc:creator>
      <dc:date>2024-07-31T19:19:22Z</dc:date>
    </item>
  </channel>
</rss>

