I'm trying to extract timestamp exactly from the CSV for each event, but doesnt happen. It show only indexed time in the search head results. Anything I'm doing here wrong ?
Props.conf
[websense:cg:kv]
TIME_PREFIX ="(.*?1)","(.*?)"
TIME_FORMAT=[%d/%m/%y %H:%M:%S]
TRANSFORMS-eliminate_header = eliminate_header
INDEXED_EXTRACTIONS = CSV
FIELD_DELIMITER = ,
TIMESTAMP_FIELDS = Date,Time
HEADER_FIELD_LINE_NUMBER = 1
Transforms.conf
[eliminate_header]
REGEX = "Date"|"Time"|"Action"|"Category Name"|"Localized Country"|"Policy Name"
DEST_KEY = queue
FORMAT = nullQueue
Sample event:
"16/02/2021","07:19:41","Allowed","Collaboration - Office","None","##DEFAULT_Policy","abc@ff.com","eer-ltp-55dd8","live.com","None","None","pptsgs.officeapps.live.com:443/","None","None","34.98.220.117","United States","52.109.124.129","United States","10.212.168.62","None","None","None","None","None","Unknown","Unknown","594","17711","18305.0","Endpoint (Proxy Connect)","Static Classification","None","443","None","Connect"
