All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Office 365 Reporting Add-on: Parsing receiving incorrect time field

ChrisBell04
Communicator
‎05-31-2019 10:30 AM

Per the samples provided in MessageTrace report ( https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984... ) ,
Received time field should end with a Z, which is also how the addon is configured to parse the data

[ms:o365:reporting:messagetrace]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX = "Received": "

Data received lately by this addon no longer includes the Z designation, so time is being parsed incorrectly. Also missing subsecond (%Q) parsing. Here is a censored sample

{"MessageId": "<4289adaf-9156-483e-924b-3e14a0fb5076@journal.report.generator>", "Organization": "xxxx.onmicrosoft.com", "RecipientAddress": "A@b.com", "Received": "2019-05-31T16:14:06.6692746", "SenderAddress": "MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@xxx.onmicrosoft.com", "ToIP": "19.181.61.196", "Subject": "Hold for the xxx", "Index": 0, "Size": 20147, "Status": "Delivered", "FromIP": null, "MessageTraceId": "f0f89caa-d985-4d22-ba8a-08d6e5e30199"}

This addon hasn't been updated in over a year. Any plans on doing so?

Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...