I have events like so:
{"action": {"result": true, "type": "login"}, "actor": {"email": "test.email@domain.tld", "id": "0123456789abcdef0123456789abcdef", "ip": "1.2.3.4", "type": "user"}, "id": "01234567-89ab-cdef-0123-456789abcdef", "newValue": "audit", "oldValue": "review", "owner": {"id": "fedcba9876543210fedcba9876543210"}, "when": "2023-04-21T18:52:32Z", "account_name": "test_account"}
The props.conf file is as so:
[cloudflare_audit]
NO_BINARY_CHECK=true
INDEXED_EXTRACTIONS=JSON
TIMESTAMP_FIELDS=when
disabled=false
pulldown_type=true
When I do this, I wind up with two records per event, split at that TIME_PREFIX setting, each record with the time found in "when".
Things I've tried so far, based on the above:
Two questions: