I want to import my Office 365 email logs into Splunk.
I have installed the Microsoft Office 365 Reporting Add-on for Splunk.
I made an input setting, but I don't understand the setting.
How to set if I want to import past data and continue to import future data?
For example, I wanted to import the data from April 1st.
so I set like this.
Imput mode: Continuous_monitor
Query window size (min): 60
Delay Throttle (min): 5
Start date and time: 2020-04-01T00: 00:00
I think continuous_monitor is contiue every 60 minutes.
2020-04-01T02: 00:00 .........
Start date and time is start time that I want to import data, right?
If I miss, Could you please tell me.
Thank you for helping.
Based on the settings posted, here is what is going to happen:
The delay throttle comes into play for the end date of the query (checkpoint + query window size). The reason that delay parameter exists is to control how close to
now the query can get. For example, let's say
now is 2020-04-15T00:00:00. If the checkpoint was 2020-04-14T23:00:00, the end date/time would be 2020-04-15T00:00:00 (checkpoint + query window size). That end date is too close to
now since it is less than 5 minutes (your delay throttle) from
now. Therefore, the input would exit and run again 60 seconds (your interval) later. The input will not try to collect data until the end date/time (checkpoint + query window size) is within range based on your delay throttle.
The reason all that delay throttle stuff is important is MSFT may delay events up to 24 hours. If you query too soon, you may miss events. So, that delay throttle is a risk factor.
I fully understood. thank you very much.
I have another question.
Can I change the time zone?
I think data is interacting with the UTC timezone, is it possible to change this in props.conf?
You can add in props.conf following entry:
TZ = Zulu