Splunk Add-on for ServiceNow: Why are event timest...

florisvanhelvoo · ‎04-26-2016

I'm having an issue with the data pulled in by the Splunk Add-on for ServiceNow. Timestamps of events are converted to UTC instead of CET. I've tried to set up a props.conf for the add-on like this:

[snow:u_incident_task]
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %h:%M:%S
TZ=Europe/Amsterdam
REPORT-sys=sys_id

But no luck. Time of the sys_updated_on is still 2 hours off.

Any ideas?

splunk4now · ‎10-24-2017

All, has anyone seen workarounds for this issues ? Servicenow does seem to record times in UTC and we need to see if there is easier alternative using configuration (apart from field level extractions and changes) for resolving this issue.

niek33 · ‎10-24-2017

Any progress on this? I am facing the exact same problem on Splunk 6.5.2.

Jeremiah · ‎04-26-2016

Where did you put that props.conf entry? It'll need to go wherever you are running the service now inputs from (ie: search head or heavy forwarder).

florisvanhelvoo · ‎05-01-2016

Hi Jeremiah

It's a one server setup. So I just have a Splunk enterprise server that connects to the servicenow api

Splunk Add-on for ServiceNow: Why are event timestamps converted to UTC instead of CET?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Splunk Add-on for ServiceNow: Why are event timestamps converted to UTC instead of CET?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions