-
Notifications
You must be signed in to change notification settings - Fork 74
Time field needs to be forced to appear at beginning of event #9
Comments
@jijulukose Apologies for the delay getting to this. I'll take a look. |
Any word on this? |
No - never heard back. It's back on my radar screen.
…On Thu, Feb 7, 2019 at 8:47 PM Scott McIntosh ***@***.***> wrote:
Any word on this?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#9 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABOrrPh5E1abb35zE3Lu0VxXTbILW2YCks5vLJDsgaJpZM4WrnhC>
.
|
This isn't as easy as you might think. The messages come from many different resources and each has its own format. On top of that, new resources emit into the same event hub as they come online. This means that I can't write a dotnet object for each of them to de-serialize into, placing "time" at the beginning. |
I added time to the splunk event metadata. The time of the event is extracted from the message itself and converted to epoch according to HEC metadata definition. This is in the master branch. |
Splunk's default MAX_TIMESTAMP_LOOKAHEAD is 128 bytes. Unless the event's time field comes within that, Splunk is going to take HEC event received time as event's time which may not be desirable in some cases.
Time field must be forced to appear at the beginning of all event/source types.
The text was updated successfully, but these errors were encountered: