Re: Splunk Add-on for Box not timezone offsetting ...

pj · ‎04-21-2016

It seems there may be a timestamping issue in the Splunk Add-on for Box. The timestamp from Box is 26 characters long if you include the timezone. However the app is set to a MAX_TIMESTAMP_LOOKAHEAD = 20. As a result, the timezone is not taken into consideration and data is indexed at the incorrect time. The fix would be to adjust every sourcetype in props.conf to MAX_TIMESTAMP_LOOKAHEAD = 26. Thanks

kchen_splunk · ‎05-02-2016

MAX_TIMESTAMP_LOOKAHEAD is not the length of timestamp instead it tells Splunkd how many chars at most to look at when scan the timestamp. By default, splunkd should take into timezone when it detects timestamp.

pj · ‎05-02-2016

Yes, indeed it does - and by not including the timezone part of the timestamp, the timezone is not accounted for, as it falls outside the current limit of 20 chars. Having implemented the fix that I advised using a local props.conf config and extending to 26 chars, I can tell you it works perfectly and the timezone is now taken into consideration. With a limit of 20, this was not the case.

mreynov_splunk · ‎04-22-2016

Thanks for the feedback! We will work on integrating the fix into our codebase.

Splunk Add-on for Box not timezone offsetting correctly

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation