Modified Line number 91
from
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "")
to
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "").replace("\r\n","")

This will remove newlines and carriage returns if the field value is dictionary. Due to field values have dictionary and it contains new lines I could see line breaking. This change will avoid line breaking

one more : The TA is indexing the data with current time not with the event time
Timestamp Mapping - add below code to local/props.conf if you have installed TA on HF OR add to Indexer.

[loganalytics]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX = "TimeGenerated":"

Good stuff, can you create a new post for this so I can track and fold into the code if needed?

One more: TA is not supporting multi inputs
Since your checkpoint can't differentiate input name.

Hope you consider all these changes and update the TA or I will try to complete TA which I am already working on.

yes I had an similar issue like I created an input and due to our internal problem ports were got disabled..then I created new input and given fetch date as old date with new index..
but in new index timestamp was from date previous input was disabled.

Please start new questions.

i installed it as default and I see lag of 2 hours between event time(_time) and TimeGenerated.
although I set default lag of 15 min.

@493669

TA is not looking for event timestamp(TimeGenerated), TA will index events with time when you fetch.

@thambisetty, yes TA will index events with time I fetch ...but I schedule it for 60 sec to run..so there should not be much lag...
I think @jkat54 pointed out regarding UTC...

I believe we are using UTC, according to the 'now' variable: datetime.datetime.utcnow()

I think I missed a code change where we forced UTC. @dpanych

Familiar?

I just released v1.0.1 that renames Workspace Name to Workspace ID.

Thanks for reporting the bug.