It seems there may be a timestamping issue in the Splunk Add-on for Box. The timestamp from Box is 26 characters long if you include the timezone. However the app is set to a `MAX_TIMESTAMP_LOOKAHEAD = 20`. As a result, the timezone is not taken into consideration and data is indexed at the incorrect time. The fix would be to adjust every sourcetype in props.conf to `MAX_TIMESTAMP_LOOKAHEAD = 26`. Thanks
↧