Splunk Add-on for ServiceNow: Why are event timest...

florisvanhelvoo · ‎04-26-2016

I'm having an issue with the data pulled in by the Splunk Add-on for ServiceNow. Timestamps of events are converted to UTC instead of CET. I've tried to set up a props.conf for the add-on like this:

[snow:u_incident_task]
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %h:%M:%S
TZ=Europe/Amsterdam
REPORT-sys=sys_id

But no luck. Time of the sys_updated_on is still 2 hours off.

Any ideas?

splunk4now · ‎10-24-2017

All, has anyone seen workarounds for this issues ? Servicenow does seem to record times in UTC and we need to see if there is easier alternative using configuration (apart from field level extractions and changes) for resolving this issue.

niek33 · ‎10-24-2017

Any progress on this? I am facing the exact same problem on Splunk 6.5.2.

Jeremiah · ‎04-26-2016

Where did you put that props.conf entry? It'll need to go wherever you are running the service now inputs from (ie: search head or heavy forwarder).

florisvanhelvoo · ‎05-01-2016

Hi Jeremiah

It's a one server setup. So I just have a Splunk enterprise server that connects to the servicenow api

Splunk Add-on for ServiceNow: Why are event timestamps converted to UTC instead of CET?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...