Right... so I read the article and felt like this might be a good solution. I have implemented this on our testing box, but now the events are getting stamped with the index time. It seems like the DATETIME_CONFIG=CURRENT is winning, and that the transforms are not doing what I am expecting. Here are the props and transform that I am using below, but maybe I am missing something: Props: [crowdstrike:edr] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 30 SHOULD_LINEMERGE = false TIME_PREFIX = \"timestamp\":|\"modified_time\":|\"_time\":|\"Time\": TRUNCATE = 999999 disabled = false kv_mode = json TRANSFORMS-extract_date = multiple_timestamp_format transforms: [multiple_timestamp_format] INGEST_EVAL= _time=case(isnotnull(strptime(_raw, "%Y-%m-%dT%H:%M:%S.%QZ")), strptime(_raw, "%Y-%m-%dT%H:%M:%S.%QZ"), isnotnull(strptime(_raw,"%s%3N")), strptime(_raw, "%s%3N")) Just let me know what you think... Thanks!
... View more