We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using the Cortex API input, the event time is incorrectly extracted as the index time
There are available fields in the JSON data set that are more suitable for the _time field.
_time
Specifically the creation_time field would be best given the sourcetype is set as "incident" and represents this event more closely.
creation_time
The indextime is used for the event which is misleading.
indextime
Specify timestamp recognition using props.conf.
props.conf
"Hacky" example below that I haven't tested:
[pan:xdr_incident] TIME_PREFIX = "creation_time": TIME_FORMAT = %s
See this page for more detail.
index
index="my_pan_xdr" | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval creationtime=strftime(creation_time/1000,"%Y-%m-%d %H:%M:%S") | table creationtime indextime _time
N/A. I would have to redact too much data.
(use the SPL above on an example data set).
Accurate time representation is critical to correlated activity.
Decreased API frequency (i.e. longer in-between) will exacerbate time skew.
Splunk Cloud 9.0.2205.1 Palo Alto Networks Add on 7.1.0
9.0.2205.1
7.1.0
The text was updated successfully, but these errors were encountered:
🎉 Thanks for opening your first issue here! Welcome to the community!
Sorry, something went wrong.
No branches or pull requests
Description
When using the Cortex API input, the event time is incorrectly extracted as the index time
Expected behavior
There are available fields in the JSON data set that are more suitable for the
_time
field.Specifically the
creation_time
field would be best given the sourcetype is set as "incident" and represents this event more closely.Current behavior
The
indextime
is used for the event which is misleading.Possible solution
Specify timestamp recognition using
props.conf
."Hacky" example below that I haven't tested:
See this page for more detail.
Steps to reproduce
index
).Screenshots
N/A. I would have to redact too much data.
(use the SPL above on an example data set).
Context
Accurate time representation is critical to correlated activity.
Decreased API frequency (i.e. longer in-between) will exacerbate time skew.
Your Environment
Splunk Cloud
9.0.2205.1
Palo Alto Networks Add on
7.1.0
The text was updated successfully, but these errors were encountered: