Looking at Zoom log timestamps... I'm trying to figure out timestamps (and accuracy of _time).
The Zoom 'add-on' scene is a little confusing: There is the "Splunk Connect for Zoom" app (https://splunkbase.splunk.com/app/4961/) which is listed as an 'add-on', but it has no timestamp recognition config (no props.conf at all).
Looking at Splunk Add-on for RWI - Executive Dashboard (https://splunkbase.splunk.com/app/5063/) - this *does* have a props.conf and zoom-specific configurations... but... the only thing related to timestamps are some search-time field extractions. No timestamp recognition configs. The search-time extractions are date-time strings, not epoch-time values... and are not exhaustive. (See SPL below for analysis / comparison of timestamp values -- including these extracted fields.)
I'm seeing that timestamp=none is getting assigned to every event, so that means timestamp recognition is being attempted and, presumably, failing. Which suggests that the _time value (when recognition fails) is the same as _indextime.
I'm also seeing 'min' latency values of ~-18000 seconds (suggesting Splunk is occasionally successfully recognizing a timestamp, but not getting the timezone right); and positive latency of ~74,000 seconds. More evidence that Splunk is occasionally recognizing a timestamp... but not accurately.
My question: Given the issues we're seeing, and the variation in timestamps in events (see analysis below), what do the developers of the add-ons (or Splunk or Zoom) recommend as an approach to accuracy of _time?
See SPL to drive analysis of your events based on grouping (stats) by event_type type event:
index="<yourzoomindex>"
| regex _raw = "time|start|end"
| eval indextime = strftime(_indextime,"%+")
`comment("NOTE: timestamp=none is a result of Splunk's timestamp parsing; occurs when it can't find (parse) a timestamp. ")`
| fillnull value="-" event_type type event
| stats count count(payload.time_stamp) AS payload.time_stamp count(payload.object.date_time) AS object.date_time count(payload.object.start_time) AS object.start_time count(start_time) AS start_time count(payload.object.end_time) AS object.end_time count(end_time) AS end_time count(update_time) AS update_time count(payload.object.timezone) AS object.timezone count(payload.object.occurrences{}.start_time) AS occurrences.start_time count(payload.object.recurrence.end_date_time) AS recurrence.end_date_time count(payload.object.participant.join_time) AS participant.join_time count(join_time) AS join_time count(payload.object.participant.leave_time) AS participant.leave_time count(leave_time) AS leave_time count(payload.object.participant.sharing_details.date_time) AS participant.sharing_details.date_time count(payload.object.recording_file*.recording_start) AS recording_file*.recording_start count(payload.object.recording_file*.recording_end) AS recording_file*.recording_end first(_raw) AS sample_event by event_type type event
