How is how_time set when experiencing TA-MS-AAD da...

rayar · ‎01-16-2023

I have configuration for TA-MS-AAD and we see that we have delays

trying to understand how _time is set

davidoff96 · ‎01-19-2023

If I understand this correctly, this is for this add-on: https://splunkbase.splunk.com/app/3757

Which sourcetype are you seeing _time issues with? Each sourcetype has a different method of getting _time (some use "createdDateTime", others use CURRENT).

rayar · ‎01-22-2023

02:05:19	2023-01-22 08:13:19	2023-01-22 06:08:00.000	azure:eventhub
02:05:41	2023-01-22 08:08:41	2023-01-22 06:03:00.000	azure:eventhub
02:05:41	2023-01-22 08:08:41	2023-01-22 06:03:00.000	azure:eventhub
02:05:51	2023-01-22 08:08:51	2023-01-22 06:03:00.000	azure:eventhub
02:05:51	2023-01-22 08:08:51	2023-01-22 06:03:00.000	azure:eventhub
02:06:09	2023-01-22 08:09:09	2023-01-22 06:03:00.000	azure:eventhub
02:06:09	2023-01-22 08:09:09	2023-01-22 06:03:00.000	azure:eventhub
02:06:39	2023-01-22 08:20:39	2023-01-22 06:14:00.000	azure:eventhub
02:07:08	2023-01-22 08:13:08	2023-01-22 06:06:00.000	azure:eventhub

How is how_time set when experiencing TA-MS-AAD data indexing delays?

configuration

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!