Is there a way to do this without changing SPL, because it was not configured before and would require a change in all the correlation searches? Is there some metadata field which can be used, for instance I saw there was a field "info_max_time" in Notable event stash, will this be the correct field to use for this purpose? (Ref: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA).
Thanks in Advance!
... View more